deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into andreiztm-branch

Browse Source
This commit is contained in:
Meghan Stewart 2022-01-12 11:29:19 -08:00
commit 388984ca12
392 changed files with 11460 additions and 10203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.acrolinx-config.edn
View File

@ -1,4 +1,4 @@
{:allowed-branchname-matches ["master"]
{:allowed-branchname-matches ["master" "main"]
:allowed-filename-matches ["windows/"]
:targets
@ -47,12 +47,12 @@ For more information about the exception criteria and exception process, see [Mi
Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology:
| Article | Score | Issues | Scorecard | Processed |
| ------- | ----- | ------ | --------- | --------- |
| Article | Score | Issues | Spelling<br>issues | Scorecard | Processed |
| ------- | ----- | ------ | ------ | --------- | --------- |
"
:template-change
"| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | [link](${acrolinx/scorecard}) | ${s/status} |
"| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/flags/spelling} | [link](${acrolinx/scorecard}) | ${s/status} |
"
:template-footer

116
.openpublishing.redirection.json
View File

@ -1,5 +1,105 @@
{
"redirections": [
{
"source_path": "windows/client-management/mdm/browserfavorite-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-10-mobile-security-guide.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/windowssecurityauditing-ddf-file.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/windowssecurityauditing-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/remotelock-ddf-file.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/remotelock-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/registry-ddf-file.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/registry-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/maps-ddf-file.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/maps-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/hotspot-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/filesystem-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/EnterpriseExtFileSystem-ddf.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/EnterpriseExtFileSystem-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseext-ddf.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseext-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseassignedaccess-xsd.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseassignedaccess-ddf.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseassignedaccess-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md",
"redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3",
@ -5072,7 +5172,7 @@
},
{
"source_path": "windows/device-security/windows-10-mobile-security-guide.md",
"redirect_url": "/windows/security/threat-protection/windows-10-mobile-security-guide",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -5377,7 +5477,7 @@
},
{
"source_path": "windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md",
"redirect_url": "/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -11987,7 +12087,7 @@
},
{
"source_path": "windows/keep-secure/installing-digital-certificates-on-windows-10-mobile.md",
"redirect_url": "/windows/access-protection/installing-digital-certificates-on-windows-10-mobile",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -13477,7 +13577,7 @@
},
{
"source_path": "windows/keep-secure/windows-10-mobile-security-guide.md",
"redirect_url": "/windows/device-security/windows-10-mobile-security-guide",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
@ -16411,7 +16511,7 @@
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md.md",
"source_path": "windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md",
"redirect_url": "/microsoft-365/security/defender-endpoint/gov",
"redirect_document_id": false
},
@ -19201,7 +19301,11 @@
"source_path": "windows/client-management/mdm/policy-csp-admx-skydrive.md",
"redirect_url": "/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools",
"redirect_document_id": true
},
{
"source_path": "windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md",
"redirect_url": "/legal/windows/license-terms-windows-diagnostic-data-for-powershell",
"redirect_document_id": false
}
]
}

2
browsers/edge/group-policies/index.yml
View File

@ -9,7 +9,7 @@ metadata:
keywords: Microsoft Edge Legacy, Windows 10
ms.localizationpriority: medium
ms.prod: edge
author: shortpatti
author: dougeby
ms.author: pashort
ms.topic: landing-page
ms.devlang: na

2
browsers/edge/index.yml
View File

@ -11,7 +11,7 @@ metadata:
ms.localizationpriority: medium
ms.topic: landing-page # Required
ms.collection: collection # Optional; Remove if no collection is used.
author: shortpatti #Required; your GitHub user alias, with correct capitalization.
author: dougeby #Required; your GitHub user alias, with correct capitalization.
ms.author: pashort #Required; microsoft alias of author; optional team alias.
ms.date: 07/07/2020 #Required; mm/dd/yyyy format.

2
browsers/edge/microsoft-edge-faq.yml
View File

@ -62,7 +62,7 @@ sections:
- question: Will Internet Explorer 11 continue to receive updates?
answer: |
We're committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it's installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge.
We're committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it's installed. For details, see [Lifecycle FAQ - Internet Explorer](/lifecycle/faq/internet-explorer-microsoft-edge). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge.
- question: How do I find out which version of Microsoft Edge I have?
answer: |

6
browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
View File

@ -14,9 +14,7 @@ ms.author: dansimp
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)<br>
Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
<p>
<img src="images/docmode-decisions-lg.png" alt="Full-sized flowchart detailing how document modes are chosen in IE11" width="1355" height="1625" style="max-width:none;">
</p>
:::image type="content" source="images/docmode-decisions-lg.png" alt-text="Full-sized flowchart detailing how document modes are chosen in IE11" lightbox="images/docmode-decisions-lg.png":::

9
browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
View File

@ -36,11 +36,4 @@ Use the topics in this section to learn about how to auto detect your settings,
|------|------------|
|[Auto detect settings Internet Explorer 11](auto-detect-settings-for-ie11.md) |Guidance about how to update your automatic detection of DHCP and DNS servers. |
|[Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) |Guidance about how to add, update and lock your auto configuration settings. |
|[Auto proxy configuration settings for Internet Explorer 11](auto-proxy-configuration-settings-for-ie11.md) |Guidance about how to add, update, and lock your auto-proxy settings. | 
|[Auto proxy configuration settings for Internet Explorer 11](auto-proxy-configuration-settings-for-ie11.md) |Guidance about how to add, update, and lock your auto-proxy settings. |

4
browsers/internet-explorer/internet-explorer.yml
View File

@ -31,7 +31,7 @@ landingContent:
- text: Use Enterprise Mode to improve compatibility
url: /microsoft-edge/deploy/emie-to-improve-compatibility
- text: Lifecycle FAQ - Internet Explorer
url: https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer
url: /lifecycle/faq/internet-explorer-microsoft-edge
- linkListType: download
links:
- text: Download IE11 with Windows 10
@ -123,7 +123,7 @@ landingContent:
- text: Group Policy preferences for IE11
url: ./ie11-deploy-guide/group-policy-preferences-and-ie11.md
- text: Configure Group Policy preferences
url: https://support.microsoft.com/help/2898604/how-to-configure-group-policy-preference-settings-for-internet-explorer-11-in-windows-8.1-or-windows-server-2012-r2
url: /troubleshoot/browsers/how-to-configure-group-policy-preference-settings
- text: Blocked out-of-date ActiveX controls
url: ./ie11-deploy-guide/blocked-out-of-date-activex-controls.md
- text: Out-of-date ActiveX control blocking

4
browsers/internet-explorer/kb-support/ie-edge-faqs.yml
View File

@ -148,7 +148,7 @@ sections:
- question: |
Where to find Internet Explorer security zones registry entries
answer: |
Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](https://support.microsoft.com/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users).
Most of the Internet Zone entries can be found in [Internet Explorer security zones registry entries for advanced users](/troubleshoot/browsers/ie-security-zones-registry-entries).
This article was written for Internet Explorer 6 but is still applicable to Internet Explorer 11.
@ -193,7 +193,7 @@ sections:
answer: |
Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed.
For more information, see [Lifecycle FAQ — Internet Explorer and Edge](https://support.microsoft.com/help/17454/lifecycle-faq-internet-explorer).
For more information, see [Lifecycle FAQ — Internet Explorer and Edge](/lifecycle/faq/internet-explorer-microsoft-edge).
- question: |
How to configure TLS (SSL) for Internet Explorer

9
education/includes/education-content-updates.md
View File

@ -2,6 +2,15 @@
## Week of December 13, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 12/13/2021 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified |
| 12/13/2021 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
## Week of November 29, 2021

2
education/windows/windows-11-se-overview.md
View File

@ -20,7 +20,7 @@ ms.topic: article
- Windows 11 SE
- Microsoft Intune for Education
Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled.
Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled (subscription sold separately).
For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits:

39
education/windows/windows-11-se-settings-list.md
View File

@ -62,6 +62,45 @@ The following settings can't be changed.
| Administrative tools | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Endpoint Manager can run. |
| Apps | Only certain apps are allowed to run on Windows 11 SE. For more info on what apps can run on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). |
## What's available in the Settings app
On Windows 11 SE devices, the Settings app shows the following setting pages. Depending on the hardware, some setting pages might not be shown.
- Accessibility
- Accounts
- Email & accounts
- Apps
- Bluetooth & devices
- Bluetooth
- Printers & scanners
- Mouse
- Touchpad
- Typing
- Pen
- AutoPlay
- Network & internet
- WiFi
- VPN
- Personalization
- Taskbar
- Privacy & security
- System
- Display
- Notifications
- Tablet mode
- Multitasking
- Projecting to this PC
- Time & Language
- Language & region
## Next steps
[Windows 11 SE for Education overview](windows-11-se-overview.md)

167
smb/cloud-mode-business-setup.md
View File

@ -34,7 +34,7 @@ In this walkthrough, we'll show you how to deploy and manage a full cloud IT sol
- Create policies and app deployment rules
- Log in as a user and start using your Windows device
Go to the <a href="https://business.microsoft.com" target="_blank">Microsoft Business site</a> and select **Products** to learn more about pricing and purchasing options for your business.
Go to [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business) to learn more about pricing and purchasing options for your business.
## Prerequisites
@ -50,16 +50,17 @@ Here's a few things to keep in mind before you get started:
To set up a cloud infrastructure for your organization, follow the steps in this section.
### 1.1 Set up Office 365 for business
See <a href="https://support.office.com/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a> to learn more about the setup steps for businesses and nonprofits who have Office 365. You can watch video and learn how to:
See [Microsoft 365 admin center for business](/microsoft-365/admin) and [Microsoft 365 resources for nonprofits](https://www.microsoft.com/nonprofits/microsoft-365) to learn more about the setup steps for businesses and nonprofits who have Office 365. You can learn how to:
- Plan your setup
- Create Office 365 accounts and how to add your domain.
- Install Office
To set up your Microsoft 365 for business tenant, see <a href="https://support.office.com/article/Get-started-with-Office-365-for-Business-d6466f0d-5d13-464a-adcb-00906ae87029" target="_blank">Get Started with Microsoft 365 for business</a>.
To set up your Microsoft 365 for business tenant, see [Get Started with Microsoft 365 for business](/microsoft-365/business-video/what-is-microsoft-365).
If you're new at setting up Office 365, and you'd like to see how it's done, you can follow these steps to get started:
1. Go to the <a href="https://products.office.com/business/office-365-affiliate-program-buy-business-premium" target="_blank">Office 365</a> page in the <a href="https://business.microsoft.com" target="_blank">Microsoft Business site</a>. Select **Try now** to use the Microsoft 365 Business Standard Trial or select **Buy now** to sign up for Microsoft 365 Business Standard. In this walkthrough, we'll select **Try now**.
1. Go to [Try or buy a Microsoft 365 for business subscription](/microsoft-365/commerce/try-or-buy-microsoft-365). In this walkthrough, we'll select **Try now**.
**Figure 1** - Try or buy Office 365
@ -68,7 +69,7 @@ If you're new at setting up Office 365, and you'd like to see how it's done, you
2. Fill out the sign up form and provide information about you and your company.
3. Create a user ID and password to use to sign into your account.
This step creates an onmicrosoft.com email address. You can use this email address to sign in to the various admin centers. Save your sign-in info so you can use it to sign into <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the admin portal).
This step creates an `onmicrosoft.com` email address. You can use this email address to sign in to the various admin centers. Save your sign-in info so you can use it to sign into [https://portal.office.com](https://portal.office.com) (the admin portal).
4. Select **Create my account** and then enter the phone number you used in step 2 to verify your identity. You'll be asked to enter your verification code.
5. Select **You're ready to go...** which will take you to the Microsoft 365 admin center.
@ -78,7 +79,7 @@ If you're new at setting up Office 365, and you'd like to see how it's done, you
**Figure 2** - Microsoft 365 admin center
![Opens the Microsoft 365 admin center.](images/office365_portal.png)
:::image type="content" alt-text="Opens the Microsoft 365 admin center." source="images/office365_portal.png":::
6. Select the **Admin** tile to go to the admin center.
@ -88,22 +89,22 @@ If you're new at setting up Office 365, and you'd like to see how it's done, you
**Figure 3** - Admin center
![Complete the Office 365 setup in the Microsoft 365 admin center.](images/office365_admin_portal.png)
:::image type="content" alt-text="Complete the Office 365 setup in the Microsoft 365 admin center." source="images/office365_admin_portal.png":::
8. Go back to the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">admin center</a> to add or buy a domain.
8. Go back to the [admin center](https://portal.office.com/adminportal/home#/homepage) to add or buy a domain.
1. Select the **Domains** option.
**Figure 4** - Option to add or buy a domain
![Add or buy a domain in admin center.](images/office365_buy_domain.png)
:::image type="content" alt-text="Add or buy a domain in admin center." source="images/office365_buy_domain.png":::
2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as `fabrikamdesign.onmicrosoft.com`.
**Figure 5** - Microsoft-provided domain
![Microsoft-provided domain.](images/office365_ms_provided_domain.png)
:::image type="content" alt-text="Microsoft-provided domain." source="images/office365_ms_provided_domain.png":::
- If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain.
- If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order.
@ -112,7 +113,7 @@ If you're new at setting up Office 365, and you'd like to see how it's done, you
**Figure 6** - Domains
![Verify your domains in the admin center.](images/office365_additional_domain.png)
:::image type="content" alt-text="Verify your domains in the admin center." source="images/office365_additional_domain.png":::
### 1.2 Add users and assign product licenses
Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Microsoft 365 admin center.
@ -121,55 +122,55 @@ When adding users, you can also assign admin privileges to certain users in your
**To add users and assign product licenses**
1. In the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">admin center</a>, select **Users > Active users**.
1. In the [admin center](https://portal.office.com/adminportal/home#/homepage), select **Users > Active users**.
**Figure 7** - Add users
![Add Office 365 users.](images/office365_users.png)
:::image type="content" alt-text="Add Office 365 users." source="images/office365_users.png":::
2. In the **Home > Active users** page, add users individually or in bulk.
- To add users one at a time, select **+ Add a user**.
If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see *Add a user account in the admin center* in <a href="https://support.office.com/article/Add-users-individually-or-in-bulk-to-Office-365-Admin-Help-1970f7d6-03b5-442f-b385-5880b9c256ec" target="_blank">Add users individually or in bulk to Office 365 - Admin Help</a>.
If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see [Add users and assign licenses at the same time](/microsoft-365/admin/add-users/add-users).
**Figure 8** - Add an individual user
![Add an individual user.](images/office365_add_individual_user.png)
:::image type="content" alt-text="Add an individual user." source="images/office365_add_individual_user.png":::
- To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users.
The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see <a href="https://support.office.com/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88" target="_blank">Add several users at the same time to Office 365 - Admin Help</a>. Once you've added all the users, don't forget to assign **Product licenses** to the new users.
The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see [Add users and assign licenses at the same time](/microsoft-365/admin/add-users/add-users). Once you've added all the users, don't forget to assign **Product licenses** to the new users.
**Figure 9** - Import multiple users
![Import multiple users.](images/office365_import_multiple_users.png)
:::image type="content" alt-text="Import multiple users." source="images/office365_import_multiple_users.png":::
3. Verify that all the users you added appear in the list of **Active users**. The **Status** should indicate the product licenses that were assigned to them.
**Figure 10** - List of active users
![Verify users and assigned product licenses.](images/o365_active_users.png)
:::image type="content" alt-text="Verify users and assigned product licenses." source="images/o365_active_users.png":::
### 1.3 Add Microsoft Intune
Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see <a href="/intune/understand-explore/introduction-to-microsoft-intune" target="_blank">What is Intune?</a>
Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see [Microsoft Intune is an MDM and MAM provider](/mem/intune/fundamentals/what-is-intune).
**To add Microsoft Intune to your tenant**
1. In the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">admin center</a>, select **Billing > Purchase services**.
1. In the [admin center](https://portal.office.com/adminportal/home#/homepage), select **Billing > Purchase services**.
2. In the **Home > Purchase services** screen, search for **Microsoft Intune**. Hover over **Microsoft Intune** to see the options to start a free 30-day trial or to buy now.
3. Confirm your order to enable access to Microsoft Intune.
4. In the admin center, the Intune licenses will show as available and ready to be assigned to users. Select **Users > Active users** and then edit the product licenses assigned to the users to turn on **Intune A Direct**.
**Figure 11** - Assign Intune licenses
![Assign Microsoft Intune licenses to users.](images/o365_assign_intune_license.png)
:::image type="content" alt-text="Assign Microsoft Intune licenses to users." source="images/o365_assign_intune_license.png":::
5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again.
6. Select **Intune**. This step opens the Endpoint Manager admin center.
**Figure 12** - Microsoft Intune management portal
![Microsoft Intune management portal.](images/intune_portal_home.png)
:::image type="content" alt-text="Microsoft Intune management portal." source="images/intune_portal_home.png":::
Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-microsoft-store-for-business-for-app-distribution).
@ -178,7 +179,7 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
**To add Azure AD to your domain**
1. In the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">admin center</a>, select **Admin centers > Azure AD**.
1. In the [admin center](https://portal.office.com/adminportal/home#/homepage), select **Admin centers > Azure AD**.
> [!NOTE]
> You will need Azure AD Premium to configure automatic MDM enrollment with Intune.
@ -187,57 +188,57 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
**Figure 13** - Access to Azure AD is not available
![Access to Azure AD not available.](images/azure_ad_access_not_available.png)
:::image type="content" alt-text="Access to Azure AD not available." source="images/azure_ad_access_not_available.png":::
3. From the error message, select the country/region for your business. The region should match with the location you specified when you signed up for Office 365.
4. Select **Azure subscription**. This step will take you to a free trial sign up screen.
**Figure 14** - Sign up for Microsoft Azure
![Sign up for Microsoft Azure.](images/azure_ad_sign_up_screen.png)
:::image type="content" alt-text="Sign up for Microsoft Azure." source="images/azure_ad_sign_up_screen.png":::
5. In the **Free trial sign up** screen, fill in the required information and then click **Sign up**.
6. After you sign up, you should see the message that your subscription is ready. Click **Start managing my service**.
**Figure 15** - Start managing your Azure subscription
![Start managing your Azure subscription.](images/azure_ad_successful_signup.png)
:::image type="content" alt-text="Start managing your Azure subscription." source="images/azure_ad_successful_signup.png":::
This step will take you to the <a href="https://portal.azure.com" target="_blank">Microsoft Azure portal</a>.
This step will take you to the [Microsoft Azure portal](https://portal.azure.com).
### 1.5 Add groups in Azure AD
This section is the walkthrough is optional. However, we recommend that you create groups in Azure AD to manage access to corporate resources, such as apps, policies and settings, and so on. For more information, see <a href="/azure/active-directory/active-directory-manage-groups" target="_blank">Managing access to resources with Azure Active Directory groups</a>.
This section is the walkthrough is optional. However, we recommend that you create groups in Azure AD to manage access to corporate resources, such as apps, policies and settings, and so on. For more information, see [Managing access to resources with Azure Active Directory groups](/azure/active-directory/active-directory-manage-groups.
To add Azure AD group(s), we will use the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal (https://manage.windowsazure.com)</a>. See <a href="/azure/active-directory/active-directory-accessmanagement-manage-groups" target="_blank">Managing groups in Azure Active Directory</a> for more information about managing groups.
To add Azure AD group(s), use the [Microsoft Azure portal](https://portal.azure.com). See [Managing groups in Azure Active Directory](/azure/active-directory/active-directory-accessmanagement-manage-groups) for more information about managing groups.
**To add groups in Azure AD**
1. If this is the first time you're setting up your directory, when you navigate to the **Azure Active Directory** node in the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal</a>, you will see a screen informing you that your directory is ready for use.
1. If this is the first time you're setting up your directory, when you navigate to the **Azure Active Directory** node, you will see a screen informing you that your directory is ready for use.
Afterwards, you should see a list of active directories. In the following example, **Fabrikam Design** is the active directory.
**Figure 16** - Azure first sign-in screen
![Select Azure AD.](images/azure_portal_classic_configure_directory.png)
:::image type="content" alt-text="Select Azure AD." source="images/azure_portal_classic_configure_directory.png":::
2. Select the directory (such as Fabrikam Design) to go to the directory's home page.
**Figure 17** - Directory home page
![Directory home page.](images/azure_portal_classic_directory_ready.png)
:::image type="content" alt-text="Directory home page." source="images/azure_portal_classic_directory_ready.png":::
3. From the menu options on top, select **Groups**.
**Figure 18** - Azure AD groups
![Add groups in Azure AD.](images/azure_portal_classic_groups.png)
:::image type="content" alt-text="Add groups in Azure AD." source="images/azure_portal_classic_groups.png":::
4. Select **Add a group** (from the top) or **Add group** at the bottom.
5. In the **Add Group** window, add a name, group type, and description for the group and click the checkmark to save your changes. The new group will appear on the groups list.
**Figure 19** - Newly added group in Azure AD
![Verify the new group appears on the list.](images/azure_portal_classic_all_users_group.png)
:::image type="content" alt-text="Verify the new group appears on the list." source="images/azure_portal_classic_all_users_group.png":::
6. In the **Groups** tab, select the arrow next to the group (such as **All users**), add members to the group, and then save your changes.
@ -245,34 +246,34 @@ To add Azure AD group(s), we will use the <a href="https://manage.windowsazure.c
**Figure 20** - Members in the new group
![Members added to the new group.](images/azure_portal_classic_members_added.png)
:::image type="content" alt-text="Members added to the new group." source="images/azure_portal_classic_members_added.png":::
7. Repeat steps 2-6 to add other groups. You can add groups based on their roles in your company, based on the apps that each group can use, and so on.
### 1.6 Configure automatic MDM enrollment with Intune
Now that you have Azure AD Premium and have it properly configured, you can configure automatic MDM enrollment with Intune, which allows users to enroll their Windows devices into Intune management, join their devices directly to Azure AD, and get access to Office 365 resources after sign in.
You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/" target="_blank">this blog post</a> to learn how you can combine login, Azure AD Join, and Intune MDM enrollment into an easy step so that you can bring your devices into a managed state that complies with the policies for your organization. We will use this blog post as our guide for this part of the walkthrough.
You can read the [Windows 10, Azure AD and Microsoft Intune blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/) to learn how you can combine login, Azure AD Join, and Intune MDM enrollment into an easy step so that you can bring your devices into a managed state that complies with the policies for your organization. We will use this blog post as our guide for this part of the walkthrough.
> [!IMPORTANT]
> We will use the classic Azure portal instead of the new portal to configure automatic MDM enrollment with Intune.
**To enable automatic MDM enrollment**
1. In the <a href="https://manage.windowsazure.com/" target="_blank">classic Azure portal</a>, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options.
1. In the Azure portal, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options.
The list of applications for your company will appear. **Microsoft Intune** will be one of the applications on the list.
**Figure 21** - List of applications for your company
![List of applications for your company.](images/azure_portal_classic_applications.png)
:::image type="content" alt-text="List of applications for your company." source="images/azure_portal_classic_applications.png":::
2. Select **Microsoft Intune** to configure the application.
3. In the Microsoft Intune configuration page, click **Configure** to start automatic MDM enrollment configuration with Intune.
**Figure 22** - Configure Microsoft Intune in Azure
![Configure Microsoft Intune in Azure.](images/azure_portal_classic_configure_intune_app.png)
:::image type="content" alt-text="Configure Microsoft Intune in Azure." source="images/azure_portal_classic_configure_intune_app.png":::
4. In the Microsoft Intune configuration page:
- In the **Properties** section, you should see a list of URLs for MDM discovery, MDM terms of use, and MDM compliance.
@ -291,66 +292,66 @@ You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/201
**Figure 23** - Configure Microsoft Intune
![Configure automatic MDM enrollment with Intune.](images/azure_portal_classic_configure_intune_mdm_enrollment.png)
:::image type="content" alt-text="Configure automatic MDM enrollment with Intune." source="images/azure_portal_classic_configure_intune_mdm_enrollment.png":::
### 1.7 Configure Microsoft Store for Business for app distribution
Next, you'll need to configure Microsoft Store for Business to distribute apps with a management tool such as Intune.
In this part of the walkthrough, we'll be working on the <a href="https://manage.microsoft.com/" target="_blank">Microsoft Intune management portal</a> and <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a>.
In this part of the walkthrough, use the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and [Microsoft Store for Business](https://businessstore.microsoft.com/Store/Apps).
**To associate your Store account with Intune and configure synchronization**
1. From the <a href="https://manage.microsoft.com/" target="_blank">Microsoft Intune management portal</a>, select **Admin**.
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first item you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**.
**Figure 24** - Mobile device management
![Set up mobile device management in Intune.](images/intune_admin_mdm_configure.png)
:::image type="content" alt-text="Set up mobile device management in Intune." source="images/intune_admin_mdm_configure.png":::
3. Sign into <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> using the same tenant account that you used to sign into Intune.
3. Sign into [Microsoft Store for Business](https://businessstore.microsoft.com/Store/Apps) using the same tenant account that you used to sign into Intune.
4. Accept the EULA.
5. In the Store portal, select **Settings > Management tools** to go to the management tools page.
6. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune ready to use with Microsoft Store for Business.
**Figure 25** - Activate Intune as the Store management tool
![Activate Intune from the Store portal.](images/wsfb_management_tools_activate.png)
:::image type="content" alt-text="Activate Intune from the Store portal." source="images/wsfb_management_tools_activate.png":::
7. Go back to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**.
7. Go back to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**.
8. In the **Microsoft Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune.
**Figure 26** - Configure Store for Business sync in Intune
![Configure Store for Business sync in Intune.](images/intune_admin_mdm_store_sync.png)
:::image type="content" alt-text="Configure Store for Business sync in Intune." source="images/intune_admin_mdm_store_sync.png":::
9. In the **Configure Microsoft Store for Business app sync** dialog box, check **Enable Microsoft Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**.
**Figure 27** - Enable Microsoft Store for Business sync in Intune
![Enable Store for Business sync in Intune.](images/intune_configure_store_app_sync_dialog.png)
:::image type="content" alt-text="Enable Store for Business sync in Intune." source="images/intune_configure_store_app_sync_dialog.png":::
The **Microsoft Store for Business** page will refresh and it will show the details from the sync.
**To buy apps from the Store**
In your <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
In your [Microsoft Store for Business portal](https://businessstore.microsoft.com/Store/Apps), you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory:
- Sway
- OneNote
- PowerPoint Mobile
- Excel Mobile
- Word Mobile
In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Apps > Apps > Volume-Purchased Apps** and verify that you can see the same list of apps appear on Intune.
In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Apps > Apps > Volume-Purchased Apps** and verify that you can see the same list of apps appear on Intune.
In the following example, we'll show you how to buy apps through the Microsoft Store for Business and then make sure the apps appear on Intune.
**Example 1 - Add other apps like Reader and InstaNote**
1. In the <a href="https://businessstore.microsoft.com/Store/Apps" target="_blank">Microsoft Store for Business</a> portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
1. In the [Microsoft Store for Business portal](https://businessstore.microsoft.com/Store/Apps), click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
**Figure 28** - Shop for Store apps
![Shop for Store apps.](images/wsfb_shop_microsoft_apps.png)
:::image type="content" alt-text="Shop for Store apps." source="images/wsfb_shop_microsoft_apps.png":::
2. Click to select an app, such as **Reader**. This opens the app page.
3. In the app's Store page, click **Get the app**. You should see a dialog that confirms your order. Click **Close**. This will refresh the app's Store page.
@ -360,7 +361,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S
**Figure 29** - App inventory shows the purchased apps
![Confirm that your inventory shows purchased apps.](images/wsfb_manage_inventory_newapps.png)
:::image type="content" alt-text="Confirm that your inventory shows purchased apps." source="images/wsfb_manage_inventory_newapps.png":::
> [!NOTE]
> Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync).
@ -369,18 +370,18 @@ In the following example, we'll show you how to buy apps through the Microsoft S
If you need to sync your most recently purchased apps and have it appear in your catalog, you can do this by forcing a sync.
1. In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Admin > Mobile Device Management > Windows > Store for Business**.
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Admin > Mobile Device Management > Windows > Store for Business**.
2. In the **Microsoft Store for Business** page, click **Sync now** to force a sync.
**Figure 30** - Force a sync in Intune
![Force a sync in Intune.](images/intune_admin_mdm_forcesync.png)
:::image type="content" alt-text="Force a sync in Intune." source="images/intune_admin_mdm_forcesync.png":::
**To view purchased apps**
- In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly.
- In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly.
**To add more apps**
- If you have other apps that you want to deploy or manage, you must add it to Microsoft Intune. To deploy Win32 apps and Web links, see <a href="/intune/deploy-use/add-apps-for-mobile-devices-in-microsoft-intune" target="_blank">Add apps for enrolled devices to Intune</a> for more info on how to do this.
- If you have other apps that you want to deploy or manage, you must add it to Microsoft Intune. To deploy Win32 apps and Web links, see [Add apps to Microsoft Intune](/mem/intune/apps/apps-add) for more info on how to do this.
## 2. Set up devices
@ -395,7 +396,7 @@ To set up new Windows devices, go through the Windows initial device setup or fi
**Figure 31** - First screen in Windows device setup
![First screen in Windows device setup.](images/win10_hithere.png)
:::image type="content" alt-text="First screen in Windows device setup." source="images/win10_hithere.png":::
> [!NOTE]
> During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection.
@ -405,13 +406,13 @@ To set up new Windows devices, go through the Windows initial device setup or fi
**Figure 32** - Choose how you'll connect your Windows device
![Choose how you'll connect the Windows device.](images/win10_choosehowtoconnect.png)
:::image type="content" alt-text="Choose how you'll connect the Windows device." source="images/win10_choosehowtoconnect.png":::
4. In the **Let's get you signed in** screen, sign in using a user account you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts.
**Figure 33** - Sign in using one of the accounts you added
![Sign in using one of the accounts you added.](images/win10_signin_admin_account.png)
:::image type="content" alt-text="Sign in using one of the accounts you added." source="images/win10_signin_admin_account.png":::
5. If this is the first time you're signing in, you will be asked to update your password. Update the password and continue with sign-in and setup.
@ -425,16 +426,16 @@ Verify that the device is set up correctly and boots without any issues.
2. Confirm that the Store and built-in apps are working.
### 2.3 Verify the device is Azure AD joined
In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, verify that the device is joined to Azure AD and shows up as being managed in Microsoft Intune.
In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), verify that the device is joined to Azure AD and shows up as being managed in Microsoft Intune.
**To verify if the device is joined to Azure AD**
1. Check the device name on your PC. On your Windows PC, select **Settings > System > About** and then check **PC name**.
**Figure 34** - Check the PC name on your device
![Check the PC name on your device.](images/win10_settings_pcname.png)
:::image type="content" alt-text="Check the PC name on your device." source="images/win10_settings_pcname.png":::
2. Log in to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>.
2. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
3. Select **Groups** and then go to **Devices**.
4. In the **All Devices** page, look at the list of devices and select the entry that matches the name of your PC.
- Check that the device name appears in the list. Select the device and it will also show the current logged-in user in the **General Information** section.
@ -443,7 +444,7 @@ In the <a href="https://manage.microsoft.com/" target="_blank">Intune management
**Figure 35** - Check that the device appears in Intune
![Check that the device appears in Intune.](images/intune_groups_devices_list.png)
:::image type="content" alt-text="Check that the device appears in Intune." source="images/intune_groups_devices_list.png":::
## 3. Manage device settings and features
You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies).
@ -454,7 +455,7 @@ In this section, we'll show you how to reconfigure app deployment settings and a
In some cases, if an app is missing from the device, you need to reconfigure the deployment settings for the app and set the app to require installation as soon as possible.
**To reconfigure app deployment settings**
1. In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Apps** and go to **Apps > Volume-Purchased Apps**.
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Apps** and go to **Apps > Volume-Purchased Apps**.
2. Select the app, right-click, then select **Manage Deployment...**.
3. Select the group(s) whose apps will be managed, and then click **Add** to add the group.
4. Click **Next** at the bottom of the app deployment settings window or select **Deployment Action** on the left column to check the deployment settings for the app.
@ -462,7 +463,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 36** - Reconfigure an app's deployment setting in Intune
![Reconfigure app deployment settings in Intune.](images/intune_apps_deploymentaction.png)
:::image type="content" alt-text="Reconfigure app deployment settings in Intune." source="images/intune_apps_deploymentaction.png":::
6. Click **Finish**.
7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible.
@ -472,12 +473,12 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 37** - Confirm that additional apps were deployed to the device
![Confirm that additional apps were deployed to the device.](images/win10_deploy_apps_immediately.png)
:::image type="content" alt-text="Confirm that additional apps were deployed to the device." source="images/win10_deploy_apps_immediately.png":::
### 3.2 Configure other settings in Intune
**To disable the camera**
1. In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Policy > Configuration Policies**.
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices > Configuration Policies**.
2. In the **Policies** window, click **Add** to create a new policy.
3. On the **Create a New Policy** page, click **Windows** to expand the group, select **General Configuration (Windows 10 Desktop and Mobile and later)**, choose **Create and Deploy a Custom Policy**, and then click **Create Policy**.
4. On the **Create Policy** page, select **Device Capabilities**.
@ -488,7 +489,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 38** - Add a configuration policy
![Add a configuration policy.](images/intune_policy_disablecamera.png)
:::image type="content" alt-text="Add a configuration policy." source="images/intune_policy_disablecamera.png":::
7. Click **Save Policy**. A confirmation window will pop up.
8. On the **Deploy Policy** confirmation window, select **Yes** to deploy the policy now.
@ -497,16 +498,16 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 39** - The new policy should appear in the **Policies** list.
![New policy appears on the list.](images/intune_policies_newpolicy_deployed.png)
:::image type="content" alt-text="New policy appears on the list." source="images/intune_policies_newpolicy_deployed.png":::
**To turn off Windows Hello and PINs during device setup**
1. In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Admin**.
1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Go to **Mobile Device Management > Windows > Windows Hello for Business**.
3. In the **Windows Hello for Business** page, select **Disable Windows Hello for Business on enrolled devices**.
**Figure 40** - Policy to disable Windows Hello for Business
![Disable Windows Hello for Business.](images/intune_policy_disable_windowshello.png)
:::image type="content" alt-text="Disable Windows Hello for Business." source="images/intune_policy_disable_windowshello.png":::
4. Click **Save**.
@ -533,49 +534,49 @@ For other devices, such as those personally-owned by employees who need to conne
**Figure 41** - Add an Azure AD account to the device
![Add an Azure AD account to the device.](images/win10_add_new_user_join_aad.png)
:::image type="content" alt-text="Add an Azure AD account to the device." source="images/win10_add_new_user_join_aad.png":::
4. In the **Let's get you signed in** window, enter the work credentials for the account and then click **Sign in** to authenticate the user.
**Figure 42** - Enter the account details
![Enter the account details.](images/win10_add_new_user_account_aadwork.png)
:::image type="content" alt-text="Enter the account details." source="images/win10_add_new_user_account_aadwork.png":::
5. You will be asked to update the password so enter a new password.
6. Verify the details to make sure you're connecting to the right organization and then click **Join**.
**Figure 43** - Make sure this is your organization
![Make sure this is your organization.](images/win10_confirm_organization_details.png)
:::image type="content" alt-text="Make sure this is your organization." source="images/win10_confirm_organization_details.png":::
7. You will see a confirmation window that says the device is now connected to your organization. Click **Done**.
**Figure 44** - Confirmation that the device is now connected
![Confirmation that the device is now connected.](images/win10_confirm_device_connected_to_org.png)
:::image type="content" alt-text="Confirmation that the device is now connected." source="images/win10_confirm_device_connected_to_org.png":::
8. The **Connect to work or school** window will refresh and will now include an entry that shows you're connected to your organization's Azure AD. This means the device is now registered in Azure AD and enrolled in MDM and the account should have access to the organization's resources.
**Figure 45** - Device is now enrolled in Azure AD
![Device is enrolled in Azure AD.](images/win10_device_enrolled_in_aad.png)
:::image type="content" alt-text="Device is enrolled in Azure AD." source="images/win10_device_enrolled_in_aad.png":::
9. You can confirm that the new device and user are showing up as Intune-managed by going to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a> and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later.
9. You can confirm that the new device and user are showing up as Intune-managed by going to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later.
### 4.2 Add a new user
You can add new users to your tenant simply by adding them to the Microsoft 365 groups. Adding new users to Microsoft 365 groups automatically adds them to the corresponding groups in Microsoft Intune.
See [Add users to Office 365](/microsoft-365/admin/add-users/add-users) to learn more. Once you're done adding new users, go to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a> and verify that the same users were added to the Intune groups as well.
See [Add users to Office 365](/microsoft-365/admin/add-users/add-users) to learn more. Once you're done adding new users, go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and verify that the same users were added to the Intune groups as well.
## Get more info
### For IT admins
To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links:
- <a href="https://support.office.com/article/Set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa" target="_blank">Set up Office 365 for business</a>
- Common admin tasks in Office 365 including email and OneDrive in <a href="https://support.office.com/article/Common-management-tasks-for-Office-365-46c667f7-5073-47b9-a75f-05a60cf77d91" target="_blank">Manage Office 365</a>
- More info about managing devices, apps, data, troubleshooting, and more in <a href="/intune/" target="_blank">Intune documentation</a>
- [Set up Office 365 for business](/microsoft-365/admin/setup)
- Common admin tasks in Office 365 including email and OneDrive in [Manage Office 365](/microsoft-365/admin/)
- More info about managing devices, apps, data, troubleshooting, and more in the [/mem/intune/](/mem/intune/)
- Learn more about Windows client in the [Windows client documentation for IT Pros](/windows/resources/).
- Info about distributing apps to your employees, managing apps, managing settings, and more in <a href="/microsoft-store/" target="_blank">Microsoft Store for Business</a>
- Info about distributing apps to your employees, managing apps, managing settings, and more in [Microsoft Store for Business](/microsoft-store/)
### For information workers
Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info:

5
smb/includes/smb-content-updates.md
View File

@ -2,10 +2,9 @@
## Week of October 25, 2021
## Week of December 13, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 10/28/2021 | [Deploy and manage a full cloud IT solution for your business](/windows/smb/cloud-mode-business-setup) | modified |
| 10/28/2021 | [Windows 10/11 for small to midsize businesses](/windows/smb/index) | modified |
| 12/14/2021 | [Deploy and manage a full cloud IT solution for your business](/windows/smb/cloud-mode-business-setup) | modified |

11
store-for-business/includes/store-for-business-content-updates.md
View File

@ -2,6 +2,17 @@
## Week of December 13, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 12/13/2021 | [Microsoft Store for Business and Education release history](/microsoft-store/release-history-microsoft-store-business-education) | modified |
| 12/13/2021 | [Change history for Microsoft Store for Business and Education](/microsoft-store/sfb-change-history) | modified |
| 12/14/2021 | [Manage user accounts in Microsoft Store for Business and Microsoft Store for Education (Windows 10)](/microsoft-store/manage-users-and-groups-microsoft-store-for-business) | modified |
| 12/14/2021 | [Troubleshoot Microsoft Store for Business (Windows 10)](/microsoft-store/troubleshoot-microsoft-store-for-business) | modified |
## Week of November 15, 2021

2
store-for-business/manage-users-and-groups-microsoft-store-for-business.md
View File

@ -44,5 +44,5 @@ If you created a new Azure AD directory when you signed up for Store for Busines
You can use the [Office 365 admin dashboard](https://portal.office.com/adminportal) or [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=691086) to add user accounts to your Azure AD directory. If you'll be using Azure management portal, you'll need an active subscription to [Azure management portal](https://go.microsoft.com/fwlink/p/?LinkId=708617).
For more information, see:
- [Add user accounts using Office 365 admin dashboard](https://support.office.com/en-us/article/add-users-individually-or-in-bulk-to-office-365-admin-help-1970f7d6-03b5-442f-b385-5880b9c256ec)
- [Add user accounts using Office 365 admin dashboard](/microsoft-365/admin/add-users)
- [Add user accounts using Azure management portal](/azure/active-directory/fundamentals/add-users-azure-active-directory)

4
store-for-business/release-history-microsoft-store-business-education.md
View File

@ -1,6 +1,6 @@
---
title: Whats new in Microsoft Store for Business and Education
description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education.
title: Microsoft Store for Business and Education release history
description: Know the release history of Microsoft Store for Business and Microsoft Store for Education.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library

8
store-for-business/sfb-change-history.md
View File

@ -76,6 +76,7 @@ ms.localizationpriority: medium
| --- | --- |
| [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | New |
| [Microsoft Store for Business and Education overview - supported markets](./microsoft-store-for-business-overview.md#supported-markets) | Updates for added market support. |
| [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) | New. Information about Windows Autopilot Deployment Program and how it is used in Microsoft Store for Business and Education. |
## June 2017
@ -84,10 +85,3 @@ ms.localizationpriority: medium
| [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md) | New. Information about notification model in Microsoft Store for Business and Education. |
| [Get Minecraft: Education Edition with Windows 10 device promotion](/education/windows/get-minecraft-device-promotion) | New. Information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices. |
| [Microsoft Store for Business and Education overview - supported markets](./microsoft-store-for-business-overview.md#supported-markets) | Updates for added market support. |
## July 2017
| New or changed topic | Description |
| -------------------- | ----------- |
| [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) | New. Information about Windows Autopilot Deployment Program and how it is used in Microsoft Store for Business and Education. |
| [Microsoft Store for Business and Education overview - supported markets](./microsoft-store-for-business-overview.md#supported-markets) | Updates for added market support. |

2
store-for-business/troubleshoot-microsoft-store-for-business.md
View File

@ -56,7 +56,7 @@ The private store for your organization is a page in Microsoft Store app that co
## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager
If you encounter any problems when integrating Microsoft Store for Business with Configuration Manager, use the [troubleshooting guide](https://support.microsoft.com/help/4010214/understand-and-troubleshoot-microsoft-store-for-business-integration-w).
If you encounter any problems when integrating Microsoft Store for Business with Configuration Manager, use the [troubleshooting guide](/troubleshoot/mem/configmgr/troubleshoot-microsoft-store-for-business-integration).
## Still having trouble?

4
windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
View File

@ -63,7 +63,7 @@ The computer on which you are installing the Office Deployment Tool must have th
| Prerequisite | Description |
|----------------------|--------------------|
| Prerequisite software | .Net Framework 4 |
| Prerequisite software | .NET Framework 4 |
| Supported operating systems | 64-bit version of Windows 10/11<br>64-bit version of Windows 8 or 8.1<br>64-bit version of Windows 7 |
>[!NOTE]
@ -120,7 +120,7 @@ The XML file included in the Office Deployment Tool specifies the product detail
|--------------|----------------------------|----------------|
| Add element | Specifies which products and languages the package will include. | N/A |
| **OfficeClientEdition** (attribute of **Add** element) | Specifies whether Office 2016 32-bit or 64-bit edition will be used. **OfficeClientEdition**  must be set to a valid value for the operation to succeed. | `OfficeClientEdition="32"`<br>`OfficeClientEdition="64"` |
| Product element | Specifies the application. Project 2016 and Visio 2016 must be specified here as added products to include them in the applications.<br>For more information about Product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297). | `Product ID ="O365ProPlusRetail"`<br>`Product ID ="VisioProRetail"`<br>`Product ID ="ProjectProRetail"` |
| Product element | Specifies the application. Project 2016 and Visio 2016 must be specified here as added products to include them in the applications.<br>For more information about Product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](/office365/troubleshoot/installation). | `Product ID ="O365ProPlusRetail"`<br>`Product ID ="VisioProRetail"`<br>`Product ID ="ProjectProRetail"` |
| Language element | Specifies which language the applications support. | `Language ID="en-us"` |
| Version (attribute of **Add** element) | Optional. Specifies which build the package will use.<br>Defaults to latest advertised build (as defined in v32.CAB at the Office source). | `16.1.2.3` |
| SourcePath (attribute of **Add** element) | Specifies the location the applications will be saved to. | `Sourcepath = "\\Server\Office2016"` |

157
windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
View File

@ -19,90 +19,81 @@ ms.author: greglin
The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10 version 1703 and later
<table border="1">
<thead>
<th>Problem</th>
<th>Workaround</th>
</thead>
<tbody>
<tr>
<td>Unable to manually create a system-owned folder needed for the <code>set-AppVClientConfiguration</code> PowerShell cmdlet when using the <i>PackageInstallationRoot</i>, <i>IntegrationRootUser</i>, or <i>IntegrationRootGlobal</i> parameters.</td>
<td>Don&#39;t create this file manually, instead let the <code>Add-AppVClientPackage</code> cmdlet auto-generate it.</td>
</tr>
<tr>
<td>Failure to update an App-V package from App-V 5.x to the latest in-box version, by using the PowerShell sequencing commands.</td>
<td>Make sure you have the complete App-V package or the MSI file from the original app.</td>
</tr>
<tr>
<td>Unable to modify the locale for auto-sequencing.</td>
<td>Open the <code>C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\AutoSequencer\Unattend_Sequencer_User_Setup_Template.xml</code> file and include the language code for your locale. For example, if you wanted Spanish (Spain), you&#39;d use: <strong>es-ES</strong>.</td>
</tr>
<tr>
<td>Filetype and protocol handlers aren&#39;t registering properly with the Google Chrome browser, causing you to not see App-V packages as an option for default apps from the <strong>Settings &gt; Apps&gt; Default Apps</strong> area.</td>
<td>The recommended workaround is to add the following code to the AppXManifest.xml file, underneath the <strong>&lt;appv:Extensions&gt;</strong> tag:
<pre><code>
&lt;appv:Extension Category="AppV.URLProtocol"&gt;
&lt;appv:URLProtocol&gt;
&lt;appv:Name&gt;ftp&lt;/appv:Name&gt;
&lt;appv:ApplicationURLProtocol&gt;
&lt;appv:DefaultIcon&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0&lt;/appv:DefaultIcon&gt;
&lt;appv:ShellCommands&gt;
&lt;appv:DefaultCommand&gt;open&lt;/appv:DefaultCommand&gt;
&lt;appv:ShellCommand&gt;
&lt;appv:ApplicationId&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe&lt;/appv:ApplicationId&gt;
&lt;appv:Name&gt;open&lt;/appv:Name&gt;
&lt;appv:CommandLine&gt;"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"&lt;/appv:CommandLine&gt;
&lt;appv:DdeExec&gt;
&lt;appv:DdeCommand /&gt;
&lt;/appv:DdeExec&gt;
&lt;/appv:ShellCommand&gt;
&lt;/appv:ShellCommands&gt;
&lt;/appv:ApplicationURLProtocol&gt;
&lt;/appv:URLProtocol&gt;
&lt;/appv:Extension&gt;
&lt;appv:Extension Category="AppV.URLProtocol"&gt;
&lt;appv:URLProtocol&gt;
&lt;appv:Name&gt;http&lt;/appv:Name&gt;
&lt;appv:ApplicationURLProtocol&gt;
&lt;appv:DefaultIcon&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0&lt;/appv:DefaultIcon&gt;
&lt;appv:ShellCommands&gt;
&lt;appv:DefaultCommand&gt;open&lt;/appv:DefaultCommand&gt;
&lt;appv:ShellCommand&gt;
&lt;appv:ApplicationId&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe&lt;/appv:ApplicationId&gt;
&lt;appv:Name&gt;open&lt;/appv:Name&gt;
&lt;appv:CommandLine&gt;"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"&lt;/appv:CommandLine&gt;
&lt;appv:DdeExec&gt;
&lt;appv:DdeCommand /&gt;
&lt;/appv:DdeExec&gt;
&lt;/appv:ShellCommand&gt;
&lt;/appv:ShellCommands&gt;
&lt;/appv:ApplicationURLProtocol&gt;
&lt;/appv:URLProtocol&gt;
&lt;/appv:Extension&gt;
&lt;appv:Extension Category="AppV.URLProtocol"&gt;
&lt;appv:URLProtocol&gt;
&lt;appv:Name&gt;https&lt;/appv:Name&gt;
&lt;appv:ApplicationURLProtocol&gt;
&lt;appv:DefaultIcon&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0&lt;/appv:DefaultIcon&gt;
&lt;appv:ShellCommands&gt;
&lt;appv:DefaultCommand&gt;open&lt;/appv:DefaultCommand&gt;
&lt;appv:ShellCommand&gt;
&lt;appv:ApplicationId&gt;[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe&lt;/appv:ApplicationId&gt;
&lt;appv:Name&gt;open&lt;/appv:Name&gt;
&lt;appv:CommandLine&gt;"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"&lt;/appv:CommandLine&gt;
&lt;appv:DdeExec&gt;
&lt;appv:DdeCommand /&gt;
&lt;/appv:DdeExec&gt;
&lt;/appv:ShellCommand&gt;
&lt;/appv:ShellCommands&gt;
&lt;/appv:ApplicationURLProtocol&gt;
&lt;/appv:URLProtocol&gt;
&lt;/appv:Extension&gt;
</code></pre><br/> </td>
</tr>
</tbody>
</table>
- **Problem**: Unable to manually create a system-owned folder needed for the `set-AppVClientConfiguration` PowerShell cmdlet when using the PackageInstallationRoot, IntegrationRootUser, or IntegrationRootGlobal parameters.
**Workaround**: Don't create this file manually, instead let the `Add-AppVClientPackage` cmdlet auto-generate it.
- **Problem**: Failure to update an App-V package from App-V 5.x to the latest in-box version, by using the PowerShell sequencing commands.
**Workaround**: Make sure you have the complete App-V package or the MSI file from the original app.
- **Problem**: Unable to modify the locale for auto-sequencing.
**Workaround**: Open the `C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\AutoSequencer\Unattend_Sequencer_User_Setup_Template.xml` file and include the language code for your locale. For example, if you wanted Spanish (Spain), you'd use: es-ES.
- **Problem**: Filetype and protocol handlers aren't registering properly with the Google Chrome browser, causing you to not see App-V packages as an option for default apps from the Settings > Apps> Default Apps area.
**Workaround**: The recommended workaround is to add the following code to the AppXManifest.xml file, underneath the `<appv:Extensions>` tag:
```xml
<appv:Extension Category="AppV.URLProtocol">
<appv:URLProtocol>
<appv:Name>ftp</appv:Name>
<appv:ApplicationURLProtocol>
<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
<appv:ShellCommands>
<appv:DefaultCommand>open</appv:DefaultCommand>
<appv:ShellCommand>
<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
<appv:Name>open</appv:Name>
<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
<appv:DdeExec>
<appv:DdeCommand />
</appv:DdeExec>
</appv:ShellCommand>
</appv:ShellCommands>
</appv:ApplicationURLProtocol>
</appv:URLProtocol>
</appv:Extension>
<appv:Extension Category="AppV.URLProtocol">
<appv:URLProtocol>
<appv:Name>http</appv:Name>
<appv:ApplicationURLProtocol>
<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
<appv:ShellCommands>
<appv:DefaultCommand>open</appv:DefaultCommand>
<appv:ShellCommand>
<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
<appv:Name>open</appv:Name>
<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
<appv:DdeExec>
<appv:DdeCommand />
</appv:DdeExec>
</appv:ShellCommand>
</appv:ShellCommands>
</appv:ApplicationURLProtocol>
</appv:URLProtocol>
</appv:Extension>
<appv:Extension Category="AppV.URLProtocol">
<appv:URLProtocol>
<appv:Name>https</appv:Name>
<appv:ApplicationURLProtocol>
<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
<appv:ShellCommands>
<appv:DefaultCommand>open</appv:DefaultCommand>
<appv:ShellCommand>
<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
<appv:Name>open</appv:Name>
<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
<appv:DdeExec>
<appv:DdeCommand />
</appv:DdeExec>
</appv:ShellCommand>
</appv:ShellCommands>
</appv:ApplicationURLProtocol>
</appv:URLProtocol>
</appv:Extension>
```
## Related resources list
For information that can help with troubleshooting App-V for Windows client, see:

46
windows/client-management/advanced-troubleshooting-boot-problems.md
View File

@ -150,49 +150,19 @@ If you receive BCD-related errors, follow these steps:
2. Restart the computer to check whether the problem is fixed.
3. If the problem is not fixed, run the following command:
```console
Bootrec /rebuildbcd
```
4. You might receive one of the following outputs:
```console
Scanning all disks for Windows installations. Please wait, since this may take a while ...
Successfully scanned Windows installations. Total identified Windows installations: 0
The operation completed successfully.
```
```console
Scanning all disks for Windows installations. Please wait, since this may take a while ...
Successfully scanned Windows installations. Total identified Windows installations: 1
D:\Windows
Add installation to boot list? Yes/No/All:
```
If the output shows **windows installation: 0**, run the following commands:
3. If the problem is not fixed, run the following commands:
```console
bcdedit /export c:\bcdbackup
attrib c:\\boot\\bcd -r s -h
attrib c:\boot\bcd -r -s -h
ren c:\\boot\\bcd bcd.old
ren c:\boot\bcd bcd.old
bootrec /rebuildbcd
```
After you run the command, you receive the following output:
```console
Scanning all disks for Windows installations. Please wait, since this may take a while ...
Successfully scanned Windows installations. Total identified Windows installations: 1
{D}:\Windows
Add installation to boot list? Yes/No/All: Y
```
5. Try restarting the system.
4. Restart the system.
### Method 4: Replace Bootmgr
@ -206,7 +176,7 @@ If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from driv
attrib -r -s -h
```
3. Run the same **attrib** command on the Windows (system drive):
3. Navigate to the system drive and run the same command:
```console
attrib -r -s -h
@ -231,7 +201,7 @@ If Windows cannot load the system registry hive into memory, you must restore th
If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder)
## Kernel Phase
@ -394,7 +364,7 @@ If the dump file shows an error that is related to a driver (for example, window
- To do this, open WinRE, open a command prompt, and then run the following command:
```console
SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows
SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows
```
For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues)
@ -414,4 +384,4 @@ If the dump file shows an error that is related to a driver (for example, window
5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
> [!NOTE]
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).
> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder).

51
windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
View File

@ -37,9 +37,8 @@ It is important to understand the different Wi-Fi components involved, their exp
The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible components that are causing the connection problem.
### Known Issues and fixes
** **
| **OS version** | **Fixed in** |
| OS version | Fixed in |
| --- | --- |
| **Windows 10, version 1803** | [KB4284848](https://support.microsoft.com/help/4284848) |
| **Windows 10, version 1709** | [KB4284822](https://support.microsoft.com/help/4284822) |
@ -54,13 +53,13 @@ Make sure that you install the latest Windows updates, cumulative updates, and r
- [Windows 10 version 1511](https://support.microsoft.com/help/4000824)
- [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470)
- [Windows Server 2012](https://support.microsoft.com/help/4009471)
- [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/40009469)
- [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469)
## Data Collection
1. Network Capture with ETW. Enter the following at an elevated command prompt:
```cmd
```console
netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl
```
2. Reproduce the issue.
@ -70,12 +69,12 @@ Make sure that you install the latest Windows updates, cumulative updates, and r
- If intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop).
3. Stop the trace by entering the following command:
```cmd
```console
netsh trace stop
```
4. To convert the output file to text format:
```cmd
```console
netsh trace convert c:\tmp\wireless.etl
```
@ -105,39 +104,39 @@ The wifi connection state machine has the following states:
Standard wifi connections tend to transition between states such as:
**Connecting**
- Connecting
Reset --> Ihv_Configuring --> Configuring --> Associating --> Authenticating --> Connected
Reset --> Ihv_Configuring --> Configuring --> Associating --> Authenticating --> Connected
**Disconnecting**
- Disconnecting
Connected --> Roaming --> Wait_For_Disconnected --> Disconnected --> Reset
Connected --> Roaming --> Wait_For_Disconnected --> Disconnected --> Reset
>Filtering the ETW trace with the [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases) (TAT) is an easy first step to determine where a failed connection setup is breaking down. A useful [wifi filter file](#wifi-filter-file) is included at the bottom of this article.
Filtering the ETW trace with the [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases) (TAT) is an easy first step to determine where a failed connection setup is breaking down. A useful [wifi filter file](#wifi-filter-file) is included at the bottom of this article.
Use the **FSM transition** trace filter to see the connection state machine. You can see [an example](#textanalysistool-example) of this filter applied in the TAT at the bottom of this page.
The following is an example of a good connection setup:
<pre>
```console
44676 [2]0F24.1020::2018-09-17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
45473 [1]0F24.1020::2018-09-17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv_Configuring
45597 [3]0F24.1020::2018-09-17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv_Configuring to State: Configuring
46085 [2]0F24.17E0::2018-09-17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
47393 [1]0F24.1020::2018-09-17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
49465 [2]0F24.17E0::2018-09-17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected
</pre>
```
The following is an example of a failed connection setup:
<pre>
```console
44676 [2]0F24.1020::2018-09-17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
45473 [1]0F24.1020::2018-09-17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv_Configuring
45597 [3]0F24.1020::2018-09-17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv_Configuring to State: Configuring
46085 [2]0F24.17E0::2018-09-17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
47393 [1]0F24.1020::2018-09-17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
49465 [2]0F24.17E0::2018-09-17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming
</pre>
```
By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state.
@ -155,7 +154,7 @@ Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** fil
Continuing with the example above, the combined filters look like this:
<pre>
```console
[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Reset to State: Ihv_Configuring
[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
@ -173,7 +172,7 @@ Associating to State: Authenticating
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Authenticating to State: Roaming
</pre>
```
> [!NOTE]
> In the next to last line the SecMgr transition is suddenly deactivating:<br>
@ -182,7 +181,7 @@ Authenticating to State: Roaming
Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition:
<pre>
```console
[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Associating to State: Authenticating
[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
@ -196,7 +195,7 @@ Associating to State: Authenticating
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Authenticating to State: Roaming
</pre>
```
The trail backwards reveals a **Port Down** notification:
@ -208,7 +207,7 @@ Below, the MSM is the native wifi stack. These are Windows native wifi drivers w
Enable trace filter for **[Microsoft-Windows-NWifi]:**
<pre>
```console
[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Associating to State: Authenticating
[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4)
@ -222,12 +221,14 @@ Associating to State: Authenticating
[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11)
[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port[13] Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1)
[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
Authenticating to State: Roaming</pre>
Authenticating to State: Roaming
```
In the trace above, we see the line:
<pre>
[0]0000.0000::08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4</pre>
```console
[0]0000.0000::08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4
```
This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disassociate coming from the Access Point (AP), as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from the AP.
@ -238,7 +239,7 @@ This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disas
## Example ETW capture
<pre>
```console
C:\tmp>netsh trace start wireless_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl
Trace configuration:
@ -279,7 +280,7 @@ C:\tmp>dir
01/09/2019 02:59 PM 2,786,540 wireless.txt
3 File(s) 10,395,004 bytes
2 Dir(s) 46,648,332,288 bytes free
</pre>
```
## Wifi filter file

2
windows/client-management/change-default-removal-policy-external-storage-media.md
View File

@ -3,7 +3,7 @@ title: Windows 10 default media removal policy
description: In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal."
ms.prod: w10
author: Teresa-Motiv
ms.author: v-tea
ms.author: dougeby
ms.date: 11/25/2020
ms.topic: article
ms.custom:

2
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -73,7 +73,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
> When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.
> [!NOTE]
> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in this [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in this [support article](/troubleshoot/windows-server/remote/remote-desktop-connection-6-prompts-credentials).
## Supported configurations

2
windows/client-management/group-policies-for-enterprise-and-education-editions.md
View File

@ -32,7 +32,7 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W
| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) |
| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | In Windows 10, version 1703, this policy setting can be applied to Windows 10 Pro. For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies) |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). |
| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application<br><br>User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). |
| **Only display the private store within the Microsoft Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app<br><br>User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) |
| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) |

2
windows/client-management/manage-settings-app-with-group-policy.md
View File

@ -26,7 +26,7 @@ To make use of the Settings App group policies on Windows server 2016, install f
>[!Note]
>Each server that you want to manage access to the Settings App must be patched.
If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra).
If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
This policy is available for both User and Computer depending on the version of the OS. Windows Server 2016 with KB 4457127 applied will have both User and Computer policy. Windows 10, version 1703, added Computer policy for the Settings app. Windows 10, version 1809, added User policy for the Settings app.

2
windows/client-management/mandatory-user-profile.md
View File

@ -42,7 +42,7 @@ The name of the folder in which you store the mandatory profile must use the cor
| Windows 10, versions 1507 and 1511 | N/A | v5 |
| Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 | Windows Server 2016 and Windows Server 2019 | v6 |
For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).
For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](/troubleshoot/windows-server/user-profiles-and-logon/roaming-user-profiles-versioning).
## Mandatory user profile

687
windows/client-management/mdm/bitlocker-csp.md
View File

@ -28,7 +28,7 @@ For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation
The following shows the BitLocker configuration service provider in tree format.
```
```console
./Device/Vendor/MSFT
BitLocker
----RequireStorageCardEncryption
@ -63,85 +63,21 @@ BitLocker
<a href="" id="--device-vendor-msft-bitlocker"></a>**./Device/Vendor/MSFT/BitLocker**
Defines the root node for the BitLocker configuration service provider.
<!--Policy-->
<a href="" id="requirestoragecardencryption"></a>**RequireStorageCardEncryption**
<!--Description-->
Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.
<!--SupportedValues-->
- 0 (default) Storage cards do not need to be encrypted.
- 1 Require storage cards to be encrypted.
<!--/SupportedValues-->
Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.
If you want to disable this policy use the following SyncML:
```xml
<SyncML>
<SyncBody>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</SyncBody>
</SyncML>
```
Data type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--/Policy-->
<!--Policy-->
<a href="" id="requiredeviceencryption"></a>**RequireDeviceEncryption**
<!--Description-->
Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
Data type is integer. Sample value for this node to enable this policy: 1.
Supported operations are Add, Get, Replace, and Delete.
@ -193,24 +129,15 @@ If you want to disable this policy, use the following SyncML:
Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the BitLocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
<!--/Description-->
<!--SupportedValues-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedValues-->
<!--ADMXMapped-->
ADMX Info:
@ -276,26 +203,15 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
Allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -347,26 +263,15 @@ If you disable or do not configure this setting, the identification field is not
Allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -400,26 +305,15 @@ If this policy is disabled, the options of "Require additional authentication at
Allows users to configure whether or not enhanced startup PINs are used with BitLocker.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -456,26 +350,15 @@ If you disable or do not configure this policy setting, enhanced PINs will not b
Allows you to configure whether standard users are allowed to change BitLocker PIN or password that is used to protect the operating system drive.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -512,26 +395,15 @@ Sample value for this node to disable this policy is:
Allows users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -574,26 +446,15 @@ When the Windows Recovery Environment is not enabled and this policy is not enab
Allows you to configure the encryption type that is used by BitLocker.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -633,26 +494,15 @@ For more information about the tool to manage BitLocker, see [Manage-bde](/windo
This setting is a direct mapping to the BitLocker Group Policy "Require additional authentication at startup".
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -741,26 +591,15 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
This setting is a direct mapping to the BitLocker Group Policy "Configure minimum PIN length for startup".
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -818,26 +657,15 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure pre-bo
(PrebootRecoveryInfo_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -907,26 +735,15 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -1004,26 +821,15 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -1110,26 +916,15 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
This setting is a direct mapping to the BitLocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -1179,26 +974,15 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
Allows you to configure the encryption type on fixed data drives that is used by BitLocker.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -1240,26 +1024,15 @@ For more information about the tool to manage BitLocker, see [Manage-bde](/windo
This setting is a direct mapping to the BitLocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -1320,26 +1093,15 @@ Disabling the policy will let the system choose the default behaviors. If you wa
Allows you to configure the encryption type that is used by BitLocker.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -1375,26 +1137,15 @@ If this policy is disabled or not configured, the BitLocker Setup Wizard asks th
Allows you to control the use of BitLocker on removable data drives.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--ADMXMapped-->
ADMX Info:
@ -1445,26 +1196,15 @@ Allows the admin to disable the warning prompt for other disk encryption on the
> [!Warning]
> When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows.
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--SupportedValues-->
The following list shows the supported values:
@ -1509,26 +1249,15 @@ Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where pol
If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--SupportedValues-->
The expected values for this policy are:
@ -1564,26 +1293,15 @@ This setting initiates a client-driven recovery password refresh after an OS dri
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
Value type is int. Supported operations are Add, Delete, Get, and Replace.
@ -1619,26 +1337,15 @@ Each server-side recovery key rotation is represented by a request ID. The serve
- RotateRecoveryPasswordsRequestID: Returns request ID of last request processed.
- RotateRecoveryPasswordsRotationStatus: Returns status of last request processed.
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
Value type is string. Supported operation is Execute. Request ID is expected as a parameter.
@ -1664,26 +1371,15 @@ Interior node. Supported operation is Get.
This node reports compliance state of device encryption on the system.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
<!--SupportedValues-->
@ -1732,26 +1428,15 @@ Status code can be one of the following:
- 0 - Pass
- Any other code - Failure HRESULT
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
</tr>
</table>
<!--/SupportedSKUs-->
Value type is int. Supported operation is Get.
@ -1767,26 +1452,14 @@ This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus.
This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID.
<!--/Description-->
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->

94
windows/client-management/mdm/browserfavorite-csp.md
View File

@ -1,94 +0,0 @@
---
title: BrowserFavorite CSP
description: Learn how the BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
ms.assetid: 5d2351ff-2d6a-4273-9b09-224623723cbf
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 10/25/2021
---
# BrowserFavorite CSP
The BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
> [!Note]
> BrowserFavorite CSP is only supported in Windows Phone 8.1.
The BrowserFavorite configuration service provider manages only the favorites at the root favorite folder level. It does not manage subfolders under the root favorite folder nor does it manage favorites under a subfolder.
> [!Note]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_INTERNET\_EXPLORER\_FAVORITES capabilities to be accessed from a network configuration application.
The following shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
```console
BrowserFavorite
favorite name
----URL
```
<a href="" id="favorite-name-------------"></a>***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
> [!Note]
> The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " < > |
Adding the same favorite twice adds only one occurrence to the Favorites list. If a favorite is added when another favorite with the same name but a different URL is already in the Favorites list, the existing favorite is replaced with the new favorite.
<a href="" id="url"></a>**URL**
Optional. Specifies the complete URL for the favorite.
## OMA client provisioning examples
Adding a new browser favorite.
```xml
<?xml version="1.0" encoding="UTF-8" ?>
<wap-provisioningdoc>
<characteristic type="BrowserFavorite">
<characteristic type="Help and how-to">
<parm name="URL" value="http://www.microsoft.com/windowsphone/en-US/howto/wp7/default.aspx"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
|Elements|Available|
|--- |--- |
|Parm-query|Yes|
|Noparm|Yes|
|Nocharacteristic|Yes|
|Characteristic-query|Yes<br> <br>Recursive query: Yes<br> <br>Top-level query: Yes|
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

970
windows/client-management/mdm/change-history-for-mdm-documentation.md
View File

File diff suppressed because one or more lines are too long

6
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -228,9 +228,9 @@ Optional. Specifies where to keep the private key.
The data type is an integer corresponding to one of the following values:
| Value | Description |
|-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|---|---|
| 1 | Private key protected by TPM. |
| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. |
| 2 | Private key protected by phone TPM if the device supports TPM. |
| 3 | (Default) Private key saved in software KSP. |
| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
@ -361,7 +361,7 @@ The date type format is Null, meaning this node doesnt contain a value.
The only supported operation is Execute.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-aadkeyidentifierlist"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
Optional. Specify the Azure AD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the Azure AD Key present on the device. If no match is found, enrollment will fail.
Data type is string.

9
windows/client-management/mdm/clientcertificateinstall-ddf-file.md
View File

@ -556,21 +556,22 @@ Supported operations are Get, Add, Delete, Replace.</Description>
</AccessType>
<DefaultValue>3</DefaultValue>
<Description>Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
SCEP enrolled cert doesnt support TPM PIN protection.
Supported values:
SCEP enrolled cert doesnt support TPM PIN protection. Supported values:
1 private key protected by TPM,
2 private key protected by phone TPM if the device supports TPM.
All Windows Phone 8.1 devices support TPM and will treat value 2 as 1
3 (default) private key saved in software KSP
4 private key protected by NGC. If this option is specified, container name should be specifed, if not enrollment will fail
4 private key protected by NGC. If this option is specified, container name should be specified, if not enrollment will fail.
Format is int.
Supported operations are Get, Add, Delete, Replace
</Description>
<DFFormat>
<int />

657
windows/client-management/mdm/configuration-service-provider-reference.md
View File

File diff suppressed because it is too large Load Diff

6
windows/client-management/mdm/devdetail-csp.md
View File

@ -77,7 +77,7 @@ For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it r
Supported operation is Get.
<a href="" id="swv"></a>**SwV**
Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the client device. In the future, the build numbers may converge.
Supported operation is Get.
@ -114,6 +114,8 @@ Supported operation is Get.
This value is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
<!-- 12.15.2021 (mandia): Based on the description, I'm assuming this ID is specific to Windows 10 Mobile. Commented out as Windows 10 Mobile is past EoL.
<a href="" id="ext-microsoft-mobileid"></a>**Ext/Microsoft/MobileID**
Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that don't have a cellular network support.
@ -121,6 +123,8 @@ Supported operation is Get.
The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element.
-->
<a href="" id="ext-microsoft-radioswv"></a>**Ext/Microsoft/RadioSwV**
Required. Returns the radio stack software version number.

6
windows/client-management/mdm/devicelock-csp.md
View File

@ -14,6 +14,9 @@ ms.date: 06/26/2017
# DeviceLock CSP
This policy is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows Phone 8.1.
The DeviceLock configuration service provider is used by the enterprise management server to configure device lock related policies. This configuration service provider is supported by an enterprise management server.
@ -304,7 +307,10 @@ All node values under the **ProviderID** interior node represent the policy valu
The value applied to the device can be queried via the nodes under the **DeviceValue** interior node.
-->
## Related articles
[Policy CSP](policy-configuration-service-provider.md)
[Configuration service provider reference](configuration-service-provider-reference.md)

15
windows/client-management/mdm/devicelock-ddf-file.md
View File

@ -14,6 +14,9 @@ ms.date: 06/26/2017
# DeviceLock DDF file
This policy is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows Phone 8.1.
This topic shows the OMA DM device description framework (DDF) for the **DeviceLock** configuration service provider. DDF files are used only with OMA DM provisioning XML.
@ -496,18 +499,10 @@ This topic shows the OMA DM device description framework (DDF) for the **DeviceL
</Node>
</MgmtTree>
```
-->
## Related topics
[Policy CSP](policy-configuration-service-provider.md)
[DeviceLock configuration service provider](devicelock-csp.md)
 
 

34
windows/client-management/mdm/dmprocessconfigxmlfiltered.md
View File

@ -25,7 +25,7 @@ ms.date: 06/26/2017
# DMProcessConfigXMLFiltered function
> [!Important]
> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. For more information about the new process for provisioning connectivity configuration, see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)). However, this function is still supported for other OEM uses.
> The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. For more information about the new process for provisioning connectivity configuration, see [Connectivity configuration](/previous-versions//dn757424(v=vs.85)). However, this function is still supported for other OEM uses.
Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios.
@ -45,7 +45,7 @@ Microsoft recommends that this function isn't used to configure the following ty
- Email settings
> [!Note]
> The **DMProcessConfigXMLFiltered** function has full functionality in Windows Phone 8.1, but it has a read-only functionality in Windows 10.
> The **DMProcessConfigXMLFiltered** function has full functionality in Windows Phone 8.1, but it has a read-only functionality in Windows 10.
@ -54,37 +54,29 @@ Microsoft recommends that this function isn't used to configure the following ty
```C++
HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
LPCWSTR pszXmlIn,
const WCHAR   **rgszAllowedCspNode,
const DWORD   dwNumAllowedCspNodes,
BSTR    *pbstrXmlOut
const WCHAR **rgszAllowedCspNode,
const DWORD dwNumAllowedCspNodes,
BSTR *pbstrXmlOut
);
```
## Parameters
*pszXmlIn*
<ul>
<li>[in] The nullterminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. <strong>DMProcessConfigXMLFiltered</strong> accepts only OMA Client Provisioning XML (also known as WAP provisioning). It doesn't accept OMA DM SyncML XML (also known as SyncML).</li>
</ul>
<br>
- [in] The nullterminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. **DMProcessConfigXMLFiltered** accepts only OMA Client Provisioning XML (also known as WAP provisioning). It doesn't accept OMA DM SyncML XML (also known as SyncML).
*rgszAllowedCspNode*
<ul>
<li>[in] Array of <strong>WCHAR\</strong>* that specify which configuration service provider nodes can be invoked.</li>
</ul>
<br>
- [in] Array of `WCHAR` that specify which configuration service provider nodes can be invoked.
*dwNumAllowedCspNodes*
<ul>
<li>[in] Number of elements passed in <em>rgszAllowedCspNode</em>.</li>
</ul>
<br>
- [in] Number of elements passed in <em>rgszAllowedCspNode</em>.
*pbstrXmlOut*
<ul>
<li>[out] The resulting nullterminated XML from configuration. The caller of <strong>DMProcessConfigXMLFiltered</strong> is responsible for cleanup of the output buffer that the <em>pbstrXmlOut</em> parameter references. Use <a href="/windows/win32/api/oleauto/nf-oleauto-sysfreestring" data-raw-source="[**SysFreeString**](/windows/win32/api/oleauto/nf-oleauto-sysfreestring)"><strong>SysFreeString</strong></a> to free the memory.</li>
</ul>
<br>
- [out] The resulting nullterminated XML from configuration. The caller of **DMProcessConfigXMLFiltered** is responsible for cleanup of the output buffer that the <em>pbstrXmlOut</em> parameter references. Use <a href="/windows/win32/api/oleauto/nf-oleauto-sysfreestring" data-raw-source="[**SysFreeString**](/windows/win32/api/oleauto/nf-oleauto-sysfreestring)">**SysFreeString**</a> to free the memory.
If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document doesn't contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned.

40
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/03/2021
ms.date: 01/03/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
@ -49,11 +49,12 @@ For this policy to work, you must verify that the MDM service provider allows th
## Verify auto-enrollment requirements and settings
To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly.
The following steps demonstrate required settings using the Intune service:
1. Verify that the user who is going to enroll the device has a valid Intune license.
![Intune license verification.](images/auto-enrollment-intune-license-verification.png)
1. Verify that the user who is going to enroll the device has a valid Endpoint Protection Manager license.
2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
:::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png":::
2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM). For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png)
@ -83,7 +84,7 @@ The following steps demonstrate required settings using the Intune service:
6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**.
![Mobility setting MDM intune.](images/auto-enrollment-microsoft-intune-setting.png)
:::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png":::
7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune.
You may contact your domain administrators to verify if the group policy has been deployed successfully.
@ -92,7 +93,7 @@ You may contact your domain administrators to verify if the group policy has bee
9. Verify that Microsoft Intune should allow enrollment of Windows devices.
![Enrollment of Windows devices.](images/auto-enrollment-enrollment-of-windows-devices.png)
:::image type="content" alt-text="Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png":::
## Configure the auto-enrollment Group Policy for a single PC
@ -113,12 +114,11 @@ Requirements:
3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
> [!div class="mx-imgBorder"]
> ![MDM policies.](images/autoenrollment-mdm-policies.png)
:::image type="content" alt-text="MDM policies." source="images/autoenrollment-mdm-policies.png" lightbox="images/autoenrollment-mdm-policies.png":::
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use.
![MDM autoenrollment policy.](images/autoenrollment-policy.png)
:::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png":::
5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
@ -159,7 +159,7 @@ Requirements:
3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**.
![Auto-enrollment scheduled task.](images/autoenrollment-scheduled-task.png)
:::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png":::
To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab.
@ -222,7 +222,7 @@ Requirements:
5. Copy PolicyDefinitions folder to **\\SYSVOL\contoso.com\policies\PolicyDefinitions**.
If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain.
If this folder does not exist, then be aware that you will be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.
6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available.
@ -249,21 +249,21 @@ To collect Event Viewer logs:
3. Search for event ID 75, which represents a successful auto-enrollment. Here is an example screenshot that shows the auto-enrollment completed successfully:
![Event ID 75.](images/auto-enrollment-troubleshooting-event-id-75.png)
:::image type="content" alt-text="Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png":::
If you cannot find event ID 75 in the logs, it indicates that the auto-enrollment failed. This can happen because of the following reasons:
- The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here is an example screenshot that shows that the auto-enrollment failed:
![Event ID 76.](images/auto-enrollment-troubleshooting-event-id-76.png)
:::image type="content" alt-text="Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png":::
To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/en-ph/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for more information.
To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors) for more information.
- The auto-enrollment did not trigger at all. In this case, you will not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section.
The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot:
![Task scheduler.](images/auto-enrollment-task-scheduler.png)
:::image type="content" alt-text="Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png":::
> [!Note]
> This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task.
@ -272,24 +272,24 @@ To collect Event Viewer logs:
**Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**.
Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107.
![Event ID 107.](images/auto-enrollment-event-id-107.png)
:::image type="content" alt-text="Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png":::
When the task is completed, a new event ID 102 is logged.
![Event ID 102.](images/auto-enrollment-event-id-102.png)
:::image type="content" alt-text="Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png":::
Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment.
If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required.
One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
![Outdated enrollment entries.](images/auto-enrollment-outdated-enrollment-entries.png)
:::image type="content" alt-text="Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png":::
By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016.
A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
![Manually deleted entries.](images/auto-enrollment-activation-verification-less-entries.png)
:::image type="content" alt-text="Manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png":::
### Related topics
@ -298,7 +298,7 @@ To collect Event Viewer logs:
- [Link a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732979(v=ws.11))
- [Filter Using Security Groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc752992(v=ws.11))
- [Enforce a Group Policy Object Link](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753909(v=ws.11))
- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
- [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
- [Getting started with Cloud Native Windows Endpoints](/mem/cloud-native-windows-endpoints)
- [A Framework for Windows endpoint management transformation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-framework-for-windows-endpoint-management-transformation/ba-p/2460684)
- [Success with remote Windows Autopilot and Hybrid Azure Active Director join](https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353)

3
windows/client-management/mdm/enterpriseappmanagement-csp.md
View File

@ -18,8 +18,7 @@ ms.date: 06/26/2017
The EnterpriseAppManagement enterprise configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token, the first auto-downloadable app link, querying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps (including the enterprise app token) during unenrollment.
> [!NOTE]
> The EnterpriseAppManagement CSP is only supported in Windows 10 Mobile.
> The EnterpriseAppManagement CSP is only supported in Windows 10 IoT Core.
The following shows the EnterpriseAppManagement configuration service provider in tree format.

1116
windows/client-management/mdm/enterpriseassignedaccess-csp.md
View File

File diff suppressed because it is too large Load Diff

328
windows/client-management/mdm/enterpriseassignedaccess-ddf.md
View File

@ -1,328 +0,0 @@
---
title: EnterpriseAssignedAccess DDF
description: Utilize the OMA DM device description framework (DDF) for the EnterpriseAssignedAccess configuration service provider.
ms.assetid: 8BD6FB05-E643-4695-99A2-633995884B37
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/05/2017
---
# EnterpriseAssignedAccess DDF
This topic shows the OMA DM device description framework (DDF) for the **EnterpriseAssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EnterpriseAssignedAccess</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.1/MDM/EnterpriseAssignedAccess</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>AssignedAccess</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>AssignedAccessXml</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>LockScreenWallpaper</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>BGFileName</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Theme</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ThemeBackground</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ThemeAccentColorID</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ThemeAccentColorValue</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Clock</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>TimeZone</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Locale</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Language</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

270
windows/client-management/mdm/enterpriseassignedaccess-xsd.md
View File

@ -1,270 +0,0 @@
---
title: EnterpriseAssignedAccess XSD
description: This XSD can be used to validate that the lockdown XML in the \<Data\> block of the AssignedAccessXML node.
ms.assetid: BB3B633E-E361-4B95-9D4A-CE6E08D67ADA
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# EnterpriseAssignedAccess XSD
This XSD can be used to validate that the lockdown XML in the \<Data\> block of the AssignedAccessXML node.
```xml
<?xml version="1.0" encoding="utf-16LE" ?>
<!--
In-memory format is Little Endian and
hence the encoding of this file has to be little endian
to be in the native format. Make sure that this file's
encoding is Unicode-16 LE (Unicode Codepage 1200)
-->
<xs:schema
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
>
<!-- COMPLEX TYPE: ROLE LIST TYPE -->
<xs:complexType name="role_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Role" type="role_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: START SCREEN SIZE TYPE -->
<xs:simpleType name="startscreen_size_t">
<xs:restriction base="xs:string">
<!-- Small: 4 columns-->
<xs:enumeration value="Small"/>
<!-- Large: 6 columns-->
<xs:enumeration value="Large"/>
</xs:restriction>
</xs:simpleType>
<!-- COMPLEX TYPE: APPLICATION LIST TYPE -->
<xs:complexType name="application_list_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="Application" type="application_t" minOccurs="0" maxOccurs="unbounded" >
<xs:key name="productIdOrfolderId">
<xs:selector xpath="."/>
<xs:field xpath="@productId|@folderId"/>
</xs:key>
</xs:element>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: BUTTON LIST TYPE -->
<xs:complexType name="button_list_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="Button" minOccurs="0" maxOccurs="unbounded" type="button_t">
<xs:unique name="ButtonEventUnique">
<xs:selector xpath="ButtonEvent" />
<xs:field xpath="@name" />
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: MENU ITEM LIST TYPE -->
<xs:complexType name="menu_item_list_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="DisableMenuItems" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: START SCREEN TILE MANIPULATION TYPE -->
<xs:complexType name="tile_manipulation_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="EnableTileManipulation" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: DEFAULT TYPE -->
<xs:complexType name="default_basic_t">
<xs:sequence minOccurs="1">
<xs:element name="ActionCenter" type="actioncenter_t" minOccurs="1"/>
<xs:element name="WLANSSID" type="wlanssid_t" minOccurs="0"/>
<xs:element name="Apps" type="application_list_t" minOccurs="1">
<xs:unique name="duplicateAppsForbidden">
<xs:selector xpath="Application"/>
<xs:field xpath="@productId"/>
<xs:field xpath="@aumid"/>
</xs:unique>
</xs:element>
<xs:element name="Buttons" minOccurs="1">
<xs:complexType>
<xs:all>
<xs:element name="ButtonLockdownList" type="button_list_t" minOccurs="0">
<xs:unique name="ButtonLockdownUnique">
<xs:selector xpath="Button" />
<xs:field xpath="@name" />
</xs:unique>
</xs:element>
<xs:element name="ButtonRemapList" type="button_list_t" minOccurs="0">
<xs:unique name="ButtonRemapUnique">
<xs:selector xpath="Button" />
<xs:field xpath="@name" />
</xs:unique>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="CSPRunner" minOccurs="0"/>
<xs:element name="MenuItems" type="menu_item_list_t" minOccurs="1"/>
<xs:element name="Settings" minOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="System" type="setting_t" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="Application" type="setting_t" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Tiles" type="tile_manipulation_t" minOccurs="0" ></xs:element>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: ROLE TYPE -->
<xs:complexType name="role_t">
<xs:complexContent>
<xs:extension base="default_basic_t">
<xs:attribute name="guid" type="guid_t" use="required"/>
<xs:attribute name="name" type="xs:string" use="required"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!-- COMPLEX TYPE: DEFAULT ROLE TYPE -->
<xs:complexType name="default_role_t">
<xs:complexContent>
<xs:extension base="default_basic_t">
<xs:sequence minOccurs="1">
<xs:element name="StartScreenSize" type="startscreen_size_t" minOccurs="1"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!-- COMPLEX TYPE: Action Center -->
<xs:complexType name="actioncenter_t">
<xs:attribute type="xs:boolean" name="enabled" use="required"/>
<xs:attribute type="xs:integer" name="actionCenterNotificationEnabled" use="optional"/>
<xs:attribute type="xs:integer" name="aboveLockToastEnabled" use="optional"/>
</xs:complexType>
<!-- COMPLEX TYPE: APPLICATION TYPE -->
<xs:complexType name="application_t">
<xs:all minOccurs="0">
<xs:element name="PinToStart" type="start_tile_t" />
</xs:all>
<xs:attribute name="productId" type="guid_t"/>
<xs:attribute name="aumid" type="xs:string" use="optional"/>
<xs:attribute name="folderName" type="xs:string" use="optional"/>
<xs:attribute name="folderId" type="xs:integer"/>
<xs:attribute name="parameters" type="xs:string" use="optional"/>
<xs:attribute name="autoRun" type="xs:boolean" use="optional"/>
</xs:complexType>
<!-- COMPLEX TYPE: START SCREEN TILE CONFIGURATION TYPE-->
<xs:complexType name="start_tile_t">
<xs:all minOccurs="1" maxOccurs="1">
<xs:element name="Size" type="tile_size_t" minOccurs="1" />
<xs:element name="Location" type="tile_location_t" minOccurs="1" />
<xs:element name="ParentFolderId" type="xs:unsignedLong" minOccurs="0" maxOccurs="1" />
</xs:all>
</xs:complexType>
<!-- COMPLEX TYPE: SETTING TYPE -->
<xs:complexType name="setting_t">
<xs:attribute name="name" type="xs:string" use="required"/>
</xs:complexType>
<!-- COMPLEX TYPE: BUTTON TYPE -->
<xs:complexType name="button_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="ButtonEvent" type="button_event_t" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="name" type="supported_button_t" use="required"/>
</xs:complexType>
<!-- COMPLEX TYPE: BUTTON EVENT TYPE -->
<xs:complexType name="button_event_t">
<xs:all minOccurs="0" maxOccurs="1">
<xs:element name="Application" type="application_t" minOccurs="0" maxOccurs="1" >
<xs:key name="productIdOnly">
<xs:selector xpath="."/>
<xs:field xpath="@productId"/>
</xs:key>
</xs:element>
</xs:all>
<xs:attribute name="name" type="supported_button_event_t" use="required"/>
</xs:complexType>
<!--COMPLEX TYPE: START TILE TYPE-->
<xs:complexType name="tile_location_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="LocationX" type="xs:unsignedLong"/>
<xs:element name="LocationY" type="xs:unsignedLong"/>
</xs:sequence>
</xs:complexType>
<!-- SIMPLE TYPE: SUPPORTED BUTTON TYPE -->
<xs:simpleType name="supported_button_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Back"/>
<xs:enumeration value="Start"/>
<xs:enumeration value="Search"/>
<xs:enumeration value="Camera"/>
<xs:enumeration value="Custom1"/>
<xs:enumeration value="Custom2"/>
<xs:enumeration value="Custom3"/>
</xs:restriction>
</xs:simpleType>
<!-- SIMPLE TYPE: SUPPORTED BUTTON EVENT TYPE -->
<xs:simpleType name="supported_button_event_t">
<xs:restriction base="xs:string">
<xs:enumeration value="All"/>
<xs:enumeration value="Press"/>
<xs:enumeration value="PressAndHold"/>
</xs:restriction>
</xs:simpleType>
<!-- SIMPLE TYPE: GUID -->
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<!--SIMPLE TYPE: TILE SIZE-->
<xs:simpleType name="tile_size_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Small"/>
<xs:enumeration value="Medium"/>
<xs:enumeration value="Large"/>
</xs:restriction>
</xs:simpleType>
<!-- COMPLEX TYPE: WLANSSID -->
<xs:complexType name="wlanssid_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="Data" type="xs:string"/>
<xs:element name="Exclusive" type="xs:boolean"/>
</xs:sequence>
</xs:complexType>
<!-- SCHEMA -->
<xs:element name="HandheldLockdown">
<xs:complexType>
<xs:all minOccurs="1">
<xs:element name="Default" type="default_role_t"/>
<xs:element name="RoleList" type="role_list_t" minOccurs="0">
<xs:unique name="duplicateRolesForbidden">
<xs:selector xpath="Role"/>
<xs:field xpath="@guid"/>
</xs:unique>
</xs:element>
</xs:all>
<xs:attribute name="version" use="required" type="xs:decimal"/>
</xs:complexType>
</xs:element>
</xs:schema>
```
 
 

23
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -38,7 +38,6 @@ EnterpriseDataProtection
--------EDPEnforcementLevel
--------EnterpriseProtectedDomainNames
--------AllowUserDecryption
--------RequireProtectionUnderLockConfig
--------DataRecoveryCertificate
--------RevokeOnUnenroll
--------RMSTemplateIDForEDP
@ -95,24 +94,6 @@ The following list shows the supported values:
Most restricted value is 0.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-requireprotectionunderlockconfig"></a>**Settings/RequireProtectionUnderLockConfig**
Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy.
The following list shows the supported values:
- 0 (default) Not required.
- 1 Required.
Most restricted value is 1.
The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware.
> [!Note]
> This setting is only supported in Windows 10 Mobile.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-datarecoverycertificate"></a>**Settings/DataRecoveryCertificate**
@ -250,7 +231,7 @@ For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate
Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate.
<a href="" id="settings-revokeonunenroll"></a>**Settings/RevokeOnUnenroll**
This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don&#39;t revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1.
This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1.
The following list shows the supported values:
@ -260,7 +241,7 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-revokeonmdmhandoff"></a>**Settings/RevokeOnMDMHandoff**
Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don&#39;t revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
- 0 - Don't revoke keys
- 1 (default) - Revoke keys

23
windows/client-management/mdm/enterprisedataprotection-ddf-file.md
View File

@ -141,29 +141,6 @@ The XML below is the current version for this CSP.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RequireProtectionUnderLockConfig</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DataRecoveryCertificate</NodeName>
<DFProperties>

386
windows/client-management/mdm/enterpriseext-csp.md
View File

@ -1,386 +0,0 @@
---
title: EnterpriseExt CSP
description: Learn how the EnterpriseExt CSP allows OEMs to set their own unique ID for their devices, set display brightness values, and set the LED behavior.
ms.assetid: ACA5CD79-BBD5-4DD1-86DA-0285B93982BD
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# EnterpriseExt CSP
The EnterpriseExt configuration service provider allows OEMs to set their own unique ID for their devices, set display brightness values, and set the LED behavior.
> **Note**   The EnterpriseExt CSP is only supported in Windows 10 Mobile.
 
The following shows the EnterpriseExt configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
```
./Vendor/MSFT
EnterpriseExt
----DeviceCustomData
--------CustomID
--------CustomString
----Brightness
--------Default
--------MaxAuto
----LedAlertNotification
--------State
--------Intensity
--------Period
--------DutyCycle
--------Cyclecount
```
The following list shows the characteristics and parameters.
<a href="" id="--vendor-msft-enterpriseext"></a>**./Vendor/MSFT/EnterpriseExt**
The root node for the EnterpriseExt configuration service provider. Supported operations is Get.
<a href="" id="devicecustomdata"></a>**DeviceCustomData**
Node for setting the custom device ID and string.
<a href="" id="devicecustomdata-customid"></a>**DeviceCustomData/CustomID**
Any string value as the device ID. This value appears in **Settings** > **About** > **Info**.
Here's an example for getting custom data.
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomID</LocURI>
</Target>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomString</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="devicecustomdata-customstring"></a>**DeviceCustomData/CustomString**
Any string value that is associated with the device.
Here's an example for setting custom data.
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomID</LocURI>
</Target>
<Data>urn:uuid:130CCE0D-0187-5866-855A-DE7406F76046</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomString</LocURI>
</Target>
<Data>{"firstName":"John","lastName":"Doe"}</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="brightness"></a>**Brightness**
Node for setting device brightness values.
<a href="" id="brightness-default"></a>**Brightness/Default**
Default display brightness value. For example, you can maximize battery life by reducing the default value or set it to medium in a facility that is generally darker.
The valid values are:
- Automatic - the device determines the brightness
- Low
- Medium
- High
The supported operations are Get and Replace.
Here's an example for getting the current default value.
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/Brightness/Default</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Here's an example for setting the default value to medium.
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/Brightness/Default</LocURI>
</Target>
<Data>medium</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="brightness-maxauto"></a>**Brightness/MaxAuto**
Maximum display brightness value when the device is set to automatic mode. The device brightness will never be higher than the MaxAuto value. The value values are:
- Low
- Medium
- High
The supported operations are Get and Replace.
Here's an example for setting the maximum auto-brightness to medium.
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/Brightness/MaxAuto</LocURI>
</Target>
<Data>medium</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="ledalertnotification"></a>**LedAlertNotification**
Node for setting LED behavior of the device.
<a href="" id="ledalertnotification-state"></a>**LedAlertNotification/State**
LED state. The valid values are:
- 0 - off
- 1 - on
- 2 - blink
Example: LED On
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Intensity</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>100</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
Example: LED Off
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="ledalertnotification-intensity"></a>**LedAlertNotification/Intensity**
Intensity of the LED brightness. You can set the value between 1 - 100.
Example: LED blink
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Period</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>500</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Dutycycle</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>70</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Intensity</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>100</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Cyclecount</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>543210</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="ledalertnotification-period"></a>**LedAlertNotification/Period**
Duration of each blink, which is the time of ON + OFF. The value is in milliseconds. This is valid only for blink.
<a href="" id="ledalertnotification-dutycycle"></a>**LedAlertNotification/DutyCycle**
LED ON duration during one blink cycle. You can set the value between 1 - 100. This is valid only for blink.
<a href="" id="ledalertnotification-cyclecount"></a>**LedAlertNotification/Cyclecount**
Number of blink cycles. The data type is a 4-byte signed integer. Any negative value or zero results in an error. This node is only valid for blink.
<a href="" id="devicereboot"></a>**DeviceReboot**
Removed in Windows 10.
<a href="" id="devicereboot-waittime"></a>**DeviceReboot/WaitTime**
Removed in Windows 10.
<a href="" id="maintenancewindow"></a>**MaintenanceWindow**
Removed in Windows 10.
<a href="" id="maintenancewindow-maintenanceallowed"></a>**MaintenanceWindow/MaintenanceAllowed**
Removed in Windows 10.
<a href="" id="maintenancewindow-mwmandatory"></a>**MaintenanceWindow/MWMandatory**
Removed in Windows 10.
<a href="" id="maintenancewindow-schedulexml"></a>**MaintenanceWindow/ScheduleXML**
Removed in Windows 10.
<a href="" id="maintenancewindow-mwnotificationduration"></a>**MaintenanceWindow/MWNotificationDuration**
Removed in Windows 10.
<a href="" id="maintenancewindow-mwminimumduration"></a>**MaintenanceWindow/MWminimumDuration**
Removed in Windows 10.
<a href="" id="deviceupdate"></a>**DeviceUpdate**
Removed in Windows 10.
<a href="" id="deviceupdate-datetimestamp"></a>**DeviceUpdate/DateTimeStamp**
Removed in Windows 10.
<a href="" id="deviceupdate-updateresultxml"></a>**DeviceUpdate/UpdateResultXml**
Removed in Windows 10.
<a href="" id="mdm"></a>**MDM**
Removed in Windows 10.
<a href="" id="mdm-server"></a>**MDM/Server**
Removed in Windows 10.
<a href="" id="mdm-username"></a>**MDM/Username**
Removed in Windows 10.
<a href="" id="mdm-password"></a>**MDM/Password**
Removed in Windows 10.
<a href="" id="mdm-enabledeviceenrollment"></a>**MDM/EnableDeviceEnrollment**
Removed in Windows 10.
<a href="" id="pfx"></a>**Pfx**
Removed in Windows 10.
<a href="" id="disableenterprisevalidation"></a>**DisableEnterpriseValidation**
Removed in Windows 10.
 
 
10/10/2016

320
windows/client-management/mdm/enterpriseext-ddf.md
View File

@ -1,320 +0,0 @@
---
title: EnterpriseExt DDF
description: Learn about the OMA DM device description framework (DDF) for the EnterpriseExt configuration service provider (CSP).
ms.assetid: 71BF81D4-FBEC-4B03-BF99-F7A5EDD4F91B
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/05/2017
---
# EnterpriseExt DDF
This topic shows the OMA DM device description framework (DDF) for the **EnterpriseExt** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EnterpriseExt</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>DeviceCustomData</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>CustomID</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CustomString</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Brightness</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Default</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxAuto</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>LedAlertNotification</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>State</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Intensity</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Period</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DutyCycle</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Cyclecount</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

140
windows/client-management/mdm/enterpriseextfilessystem-csp.md
View File

@ -1,140 +0,0 @@
---
title: EnterpriseExtFileSystem CSP
description: Add, retrieve, or change files through the Mobile Device Management (MDM) service using the EnterpriseExtFileSystem CSP.
ms.assetid: F773AD72-A800-481A-A9E2-899BA56F4426
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# EnterpriseExtFileSystem CSP
The EnterpriseExtFileSystem configuration service provider (CSP) allows IT administrators to add, retrieve, or change files in the file system through the Mobile Device Management (MDM) service. For example, you can use this configuration service provider to push a provisioning XML file or a new lock screen background image file to a device through the MDM service, and also retrieve logs from the device in the enterprise environment.
> **Note**  The EnterpriseExtFileSystem CSP is only supported in Windows 10 Mobile.
File contents are embedded directly into the syncML message, so there is a limit to the size of the file that can be retrieved from the device. The default limit is 0x100000 (1 MB). You can configure this limit by using the following registry key: **Software\\Microsoft\\Provisioning\\CSPs\\.\\Vendor\\MSFT\\EnterpriseExtFileSystem\\MaxFileReadSize**.
The following shows the EnterpriseExtFileSystem configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
```
./Vendor/MSFT
EnterpriseExtFileSystem
----Persistent
--------Files_abc1
--------Directory_abc2
----NonPersistent
--------Files_abc3
--------Directory_abc4
----OemProfile
--------Directory_abc5
--------Files_abc6
```
The following list describes the characteristics and parameters.
<a href="" id="--vendor-msft-enterpriseextfilesystem"></a>**./Vendor/MSFT/EnterpriseExtFileSystem**
<p>The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.</p>
<a href="" id="persistent"></a>**Persistent**
<p>The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.</p>
> **Important**  There is a limit to the amount of data that can be persisted, which varies depending on how much disk space is available on one of the partitions. This data cap amount (that can be persisted) varies by manufacturer.
>
>
>
> **Note**   When the IT admin triggers a **doWipePersistProvisionedData** action using [RemoteWipe CSP](remotewipe-csp.md), items stored in the Persistent folder are persisted over wipe and restored when the device boots again. The contents are not persisted if a **doWipe** action is triggered.
<a href="" id="nonpersistent"></a>**NonPersistent**
<p>The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.</p>
<p>When the device is wiped, any data stored in the NonPersistent folder is deleted.</p>
<a href="" id="oemprofile"></a>**OemProfile**
<p>Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \data\shareddata\oem\public\profile\ folder of the device.</p>
<a href="" id="directory"></a>***Directory***
<p>The name of a directory in the device file system. Any <em>Directory</em> node can have directories and files as child nodes.</p>
<p>Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.</p>
<p>Use the Get command to return the list of child node names under <em>Directory</em>.</p>
<p>Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under <em>Directory</em>.</p>
<a href="" id="filename"></a>***Filename***
<p>The name of a file in the device file system.</p>
Supported operations is Get.
## OMA DM examples
The following example shows how to retrieve a file from the device.
```xml
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExtFileSystem/Persistent/file.txt</LocURI>
</Target>
</Item>
</Get>
```
The following example shows the file name that is returned in the body of the response syncML code. In this example, the full path of the file on the device is C:/data/test/bin/filename.txt.
```xml
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source>
<LocURI>./Vendor/MSFT/EnterpriseExtFileSystem/Persistent/filename.txt</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
<Type xmlns="syncml:metinf">application/octet-stream</Type>
</Meta>
<Data>aGVsbG8gd29ybGQ=</Data>
</Item>
</Results>
```
The following example shows how to push a file to the device.
```xml
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExtFileSystem/Persistent/new.txt</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
<Type xmlns="syncml:metinf">application/octet-stream</Type>
</Meta>
<Data>aGVsbG8gd29ybGQ=</Data>
</Item>
</Add>
```

273
windows/client-management/mdm/enterpriseextfilesystem-ddf.md
View File

@ -1,273 +0,0 @@
---
title: EnterpriseExtFileSystem DDF
description: Learn about the OMA DM device description framework (DDF) for the EnterpriseExtFileSystem configuration service provider (CSP).
ms.assetid: 2D292E4B-15EE-4AEB-8884-6FEE8B92D2D1
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/05/2017
---
# EnterpriseExtFileSystem DDF
This topic shows the OMA DM device description framework (DDF) for the **EnterpriseExtFileSystem** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EnterpriseExtFileSystem</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Persistent</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Files_abc1</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Files</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Directory_abc2</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Directory</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>NonPersistent</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Files_abc3</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Files</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Directory_abc4</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Directory</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>OemProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Directory_abc5</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Directory</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Files_abc6</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Files</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[EnterpriseExtFileSystem configuration service provider](enterpriseextfilessystem-csp.md)
 
 

26
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -20,7 +20,8 @@ The EnterpriseModernAppManagement configuration service provider (CSP) is used f
> Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP.
The following shows the EnterpriseModernAppManagement configuration service provider in tree format.
```
```console
./Vendor/MSFT
EnterpriseModernAppManagement
----AppManagement
@ -68,7 +69,7 @@ EnterpriseModernAppManagement
For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path.
> [!Note]
> Windows Holographic and Windows 10 Mobile only support per-user configuration of the EnterpriseModernAppManagement CSP.
> Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP.
<a href="" id="appmanagement"></a>**AppManagement**
Required. Used for inventory and app management (post-install).
@ -120,7 +121,7 @@ Query parameters:
- Bundle - returns installed bundle packages.
- Framework - returns installed framework packages.
- Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They are parts of a bundle.
- XAP - returns XAP package types. This filter is not supported on devices other than Windows Mobile.
- XAP - returns XAP package types. This filter is only supported on Windows Mobile.
- All - returns all package types.
If no value is specified, the combination of Main, Bundle, and Framework are returned.
@ -451,7 +452,8 @@ Valid values:
**Examples:**
Add an app to the nonremovable app policy list
```
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
@ -472,7 +474,8 @@ Add an app to the nonremovable app policy list
```
Get the status for a particular app
```
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
@ -491,7 +494,8 @@ Get the status for a particular app
Replace an app in the nonremovable app policy list
Data 0 = app is not in the app policy list
Data 1 = app is in the app policy list
```
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
@ -678,13 +682,3 @@ Subsequent query for a specific app for its properties.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

34
windows/client-management/mdm/federated-authentication-device-enrollment.md
View File

@ -16,9 +16,9 @@ ms.date: 07/28/2017
This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is leveraged by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call.
The &lt;AuthenticationServiceURL&gt; element the discovery response message specifies web authentication broker page start URL.
The `<AuthenticationServiceURL>` element the discovery response message specifies web authentication broker page start URL.
For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
## In this topic
@ -26,7 +26,7 @@ For details about the Microsoft mobile device enrollment protocol for Windows 1
[Enrollment policy web service](#enrollment-policy-web-service)
[Enrollment web service](#enrollment-web-service)
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery service
@ -35,7 +35,7 @@ The discovery web service provides the configuration information necessary for a
> [!NOTE]
> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http:<span></span>//enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`.
The first request is a standard HTTP GET request.
@ -146,7 +146,7 @@ A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse
The following are the explicit requirements for the server.
- The &lt;DiscoveryResponse&gt;&lt;AuthenticationServiceUrl&gt; element must support HTTPS.
- The `<DiscoveryResponse>``<AuthenticationServiceUrl>` element must support HTTPS.
- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail.
- WP doesnt support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
@ -156,8 +156,8 @@ The enrollment client issues an HTTPS request as follows:
AuthenticationServiceUrl?appru=<appid>&amp;login_hint=<User Principal Name>
```
- &lt;appid&gt; is of the form ms-app://string
- &lt;User Principal Name&gt; is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication.
- `<appid>` is of the form ms-app://string
- `<User Principal Name>` is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication.
After authentication is complete, the auth server should return an HTML form document with a POST method action of appid identified in the query string parameter.
@ -191,7 +191,7 @@ Content-Length: 556
</html>
```
The server has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary" contained in the &lt;wsse:BinarySecurityToken&gt; EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it is just HTML encoded. This string is opaque to the enrollment client; the client does not interpret the string.
The server has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `<wsse:BinarySecurityToken>` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it is just HTML encoded. This string is opaque to the enrollment client; the client does not interpret the string.
The following example shows a response received from the discovery web service which requires authentication via WAB.
@ -235,18 +235,18 @@ Policy service is optional. By default, if no policies are specified, the minimu
This web service implements the X.509 Certificate Enrollment Policy Protocol (MS-XCEP) specification that allows customizing certificate enrollment to match different security needs of enterprises at different times (cryptographic agility). The service processes the GetPolicies message from the client, authenticates the client, and returns matching enrollment policies in the GetPoliciesResponse message.
For Federated authentication policy, the security token credential is provided in a request message using the &lt;wsse:BinarySecurityToken&gt; element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows:
For Federated authentication policy, the security token credential is provided in a request message using the `<wsse:BinarySecurityToken>` element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows:
- wsse:Security: The enrollment client implements the &lt;wsse:Security&gt; element defined in \[WSS\] section 5. The &lt;wsse:Security&gt; element must be a child of the &lt;s:Header&gt; element.
- wsse:BinarySecurityToken: The enrollment client implements the &lt;wsse:BinarySecurityToken&gt; element defined in \[WSS\] section 6.3. The &lt;wsse:BinarySecurityToken&gt; element must be included as a child of the &lt;wsse:Security&gt; element in the SOAP header.
- wsse:Security: The enrollment client implements the `<wsse:Security>` element defined in \[WSS\] section 5. The `<wsse:Security>` element must be a child of the `<s:Header>` element.
- wsse:BinarySecurityToken: The enrollment client implements the `<wsse:BinarySecurityToken>` element defined in \[WSS\] section 6.3. The `<wsse:BinarySecurityToken>` element must be included as a child of the `<wsse:Security>` element in the SOAP header.
As was described in the discovery response section, the inclusion of the &lt;wsse:BinarySecurityToken&gt; element is opaque to the enrollment client, and the client does not interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the &lt;AuthenticationServiceUrl&gt; element of &lt;DiscoveryResponse&gt; and the enterprise server.
As was described in the discovery response section, the inclusion of the `<wsse:BinarySecurityToken>` element is opaque to the enrollment client, and the client does not interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the `<AuthenticationServiceUrl>` element of `<DiscoveryResponse>` and the enterprise server.
The &lt;wsse:BinarySecurityToken&gt; element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the &lt;wsse:BinarySecurityToken&gt; element.
The `<wsse:BinarySecurityToken>` element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the `<wsse:BinarySecurityToken>` element.
- wsse:BinarySecurityToken/attributes/ValueType: The `<wsse:BinarySecurityToken>` ValueType attribute must be "http:<span></span>//schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken".
- wsse:BinarySecurityToken/attributes/ValueType: The `<wsse:BinarySecurityToken>` ValueType attribute must be `http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken`.
- wsse:BinarySecurityToken/attributes/EncodingType: The `<wsse:BinarySecurityToken>` EncodingType attribute must be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary".
- wsse:BinarySecurityToken/attributes/EncodingType: The `<wsse:BinarySecurityToken>` EncodingType attribute must be `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary`.
The following is an enrollment policy request example with a received security token as client credential.
@ -478,7 +478,7 @@ After validating the request, the web service looks up the assigned certificate
> [!Note]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (http:<span></span>//schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc), because the token is more than an X.509 v3 certificate.
Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (`http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc`), because the token is more than an X.509 v3 certificate.
The provisioning XML contains:
@ -616,7 +616,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
> [!NOTE]
>
> - &lt;Parm name&gt; and &lt;characteristic type=&gt; elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase.
> - `<Parm name>` and `<characteristic type=>` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase.
>
> - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML.
>

107
windows/client-management/mdm/filesystem-csp.md
View File

@ -1,107 +0,0 @@
---
title: FileSystem CSP
description: Learn how the FileSystem CSP is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device.
ms.assetid: 9117ee16-ca7a-4efa-9270-c9ac8547e541
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# FileSystem CSP
The FileSystem configuration service provider is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device. It can retrieve information about or manage files in ROM, files in persistent store and files on any removable storage card that is present in the device. It works for files that are hidden from the user as well as those that are visible to the user.
> [!NOTE]
> FileSystem CSP is only supported in Windows 10 Mobile.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
The following shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
```console
./Vendor/MSFT
FileSystem
----file name
----file directory
--------file name
--------file directory
```
<a href="" id="filesystem"></a>**FileSystem**
Required. Defines the root of the file system management object. It functions as the root directory for file system queries.
Recursive queries or deletes are not supported for this element. Add commands will add a new file or directory under the root path.
The following properties are supported for the root node:
- `Name`: The root node name. The Get command is the only supported command.
- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command.
- `Format`: The format, which is `node`. The Get command is the only supported command.
- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
- `Size`: Not supported.
- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
<a href="" id="file-directory"></a>***file directory***
Optional. Returns the name of a directory in the device file system. Any *file directory* element can contain directories and files as child elements.
The Get command returns the name of the file directory. The Get command with `?List=Struct` will recursively return all child element names (including sub-directory names). The Get command with `?list=StructData` query is not supported and returns a 406 error code.
The Add command is used to create a new directory. Adding a new directory under the file system root is not supported and returns a 405 error code.
The Replace command is not supported.
The Delete command is used to delete all files and subfolders under this *file directory*.
The following properties are supported for file directories:
- `Name`: The file directory name. The Get command is the only supported command.
- `Type`: The MIME type of the file, which is an empty string for directories that are not the root node. The Get command is the only supported command.
- `Format`: The format, which is `node`. The Get command is the only supported command.
- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
- `Size`: Not supported.
- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file `winnt.h`. This supports the Get command and the Replace command.
<a href="" id="file-name"></a>***file name***
Optional. Return a file in binary format. If the file is too large for the configuration service to return, it returns error code 413 (Request entity too large) instead.
The Delete command deletes the file.
The Replace command updates an entire file with new file contents.
The Add command adds the file to the file directory
The Get command is not supported on a *file name* element, only on the properties of the element.
The following properties are supported for files:
- `Name`: The file name. The Get command is the only supported command.
- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command.
- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over WBXML. The Get command is the only supported command.
- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
- `Size`: The unencoded file content size in bytes. The Get command is the only supported command.
- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

2
windows/client-management/mdm/healthattestation-csp.md
View File

@ -1075,7 +1075,7 @@ If a device is expected to use a third-party antivirus program, ignore the repor
If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:
If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets

200
windows/client-management/mdm/hotspot-csp.md
View File

@ -1,200 +0,0 @@
---
title: HotSpot CSP
description: Learn how HotSpot configuration service provider (CSP) is used to configure and enable Internet sharing on a device.
ms.assetid: ec49dec1-fa79-420a-a9a7-e86668b3eebf
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# HotSpot CSP
The HotSpot configuration service provider is used to configure and enable Internet sharing on the device, in which the device can be configured to share its cellular connection over Wi-Fi with up to eight client devices or computers.
> [!Note]
> HotSpot CSP is only supported in Windows 10 Mobile.
>
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application.
The following shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
```console
./Vendor/MSFT
HotSpot
-------Enabled
-------DedicatedConnections
-------TetheringNAIConnection
-------MaxUsers
-------MaxBluetoothUsers
-------MOHelpNumber
-------MOInfoLink
-------MOAppLink
-------MOHelpMessage
-------EntitlementRequired
-------EntitlementDll
-------EntitlementInterval
-------PeerlessTimeout
-------PublicConnectionTimeout
```
<a href="" id="enabled"></a>**Enabled**
Required. Specifies whether to enable Internet sharing on the device. The default is false.
If this is initially set to false, the feature is turned off and the Internet sharing screen is removed from Settings so that the user cannot access it. Configuration changes or connection sharing state changes will not be possible.
When this is set to true, the Internet sharing screen is added to Settings, though sharing is turned off by default until the user turns it on.
This setting can be provisioned over the air, but it may require a reboot if Settings was open when this was enabled for the first time.
<a href="" id="dedicatedconnections"></a>**DedicatedConnections**
Optional. Specifies the semicolon separated list of Connection Manager cellular connections that Internet sharing will use as the public connections.
By default, any available connection will be used as a public connection. However, this node allows a mobile operator to specify one or more connection names to use as public connections.
Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
> [!Note]
> The mapping policy will also include the connection specified in the **TetheringNAIConnection** value as well.
If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share
If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted.
<a href="" id="tetheringnaiconnection"></a>**TetheringNAIConnection**
Optional. Specifies the CDMA TetheringNAI Connection Manager cellular connection that Internet sharing will use as a public connection.
If a CDMA mobile operator requires using a Tethering NAI during Internet sharing, they must use the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md) to provision a TetheringNAI connection and then specify the provisioned connection in this node.
Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
> [!Note]
> The mapping policy will also include the connections specified in the **DedicatedConnections** as well.
If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share
If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted.
<a href="" id="maxusers"></a>**MaxUsers**
Optional. Specifies the maximum number of simultaneous users that can be connected to a device while in a sharing state. The value must be between 1 and 8 inclusive. The default value is 5.
If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted.
<a href="" id="maxbluetoothusers"></a>**MaxBluetoothUsers**
Optional. Specifies the maximum number of simultaneous Bluetooth users that can be connected to a device while sharing over Bluetooth. The value must be between 1 and 7 inclusive. The default value is 7.
<a href="" id="mohelpnumber"></a>**MOHelpNumber**
Optional. A mobile operatorspecified device number that is displayed to the user when the Internet sharing service fails to start. The user interface displays a message informing the user that they can call the specified number for help.
<a href="" id="moinfolink"></a>**MOInfoLink**
Optional. A mobile operatorspecified HTTP link that is displayed to the user when Internet sharing is disabled or the device is not entitled. The user interface displays a message informing the user that they can visit the specified link for more information about how to enable the feature.
<a href="" id="moapplink"></a>**MOAppLink**
Optional. A Windows device application link that points to a preinstalled application, provided by the mobile operator, that will help a user to subscribe to the mobile operators Internet sharing service when Internet sharing is not provisioned or entitlement fails. The general format for the link is `app://MOapp`.
<a href="" id="mohelpmessage"></a>**MOHelpMessage**
Optional. Reference to a localized string, provided by the mobile operator, that is displayed when Internet sharing is not enabled due to entitlement failure. The node takes a language-neutral registry value string, which has the following form:
`@<path_to_res_dll>,-<str_id>`
Where `<path_to_res_dll>` is the path to the resource dll that contains the string and `<str_id>` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](/windows/win32/intl/using-registry-string-redirection) on MSDN.
> [!Note]
> MOAppLink is required to use the MOHelpMessage setting.
<a href="" id="entitlementrequired"></a>**EntitlementRequired**
Optional. Specifies whether the device requires an entitlement check to determine if Internet sharing should be enabled. This node is set to a Boolean value. The default value is **True**.
By default the Internet sharing service will check entitlement every time an attempt is made to enable Internet sharing. Internet sharing should be set to **False** for carrier-unlocked devices.
<a href="" id="entitlementdll"></a>**EntitlementDll**
Required if `EntitlementRequired` is set to true. The path to the entitlement DLL used to make entitlement checks that verify that the device is entitled to use the Internet sharing service on a mobile operators network. The value is a string that represents a valid file system path to the entitlement DLL. By default, the Internet sharing service fails entitlement checks if this setting is missing or empty. For more information, see [Creating an Entitlement DLL](#creating-entitlement-dll) later in this topic.
<a href="" id="entitlementinterval"></a>**EntitlementInterval**
Optional. The time interval, in seconds, between entitlement checks. The default value is 86,400 seconds (24 hours).
If a periodic entitlement check fails, Internet sharing is automatically disabled.
<a href="" id="peerlesstimeout"></a>**PeerlessTimeout**
Optional. The time-out period, in minutes, after which Internet sharing should automatically turn off if there are no longer any active clients. This node can be set to any value between 1 and 120 inclusive. A value of 0 is not supported. The default value is 5 minutes.
A reboot may be required before changes to this node take effect.
<a href="" id="publicconnectiontimeout"></a>**PublicConnectionTimeout**
Optional. The time-out value, in minutes, after which Internet sharing is automatically turned off if a cellular connection is not available. This node can be set to any value between 1 and 60 inclusive. The default value is 20 minutes. A time-out is required, so a value of 0 is not supported.
Changes to this node require a reboot.
<a href="" id="minwifikeylength"></a>**MinWifiKeyLength**
> [!Important]
> This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8.
<a href="" id="minwifissidlength"></a>**MinWifiSSIDLength**
> [!Important]
> This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1.
## Additional requirements for CDMA networks
For CDMA networks that use a separate Network Access Identity (NAI) for Internet sharing, a new parm, TetheringNAI, has been added in the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md) configuration service provider. The following sample demonstrates how to specify the connection.
```xml
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="TetheringNAIConn">
<parm name="Version" value="1"/>
<parm name="UserName" value=""/>
<parm name="Password" value=""/>
<parm name="TetheringNAI" value="1"/>
</characteristic>
</characteristic>
<characteristic type="HotSpot">
<parm name="Enabled" value="true" datatype="boolean"/>
<parm name="EntitlementRequired" value="false" datatype="boolean"/>
<parm name="TetheringNAIConnection" value="TetheringNAIConn" datatype="string"/>
</characteristic>
</wap-provisioningdoc>
```
> [!Note]
> CDMA devices are limited to one active data connection at a time. This means any application or service (such as email or MMS) that is bound to another connection may not work while Internet sharing is turned on.
## <a href="" id="creating-entitlement-dll"></a>Creating an Entitlement DLL
For mobile operator networks that require an entitlement check, the OEM must provide a DLL in the device image that implements a function with the following signature:
`ICS_ENTITLEMENT_RESULT IsEntitled(void);`
The `EntitlementDll` parm of the HotSpot configuration service provider must be set to a string that is the path to this DLL.
The DLL must be code signed in a specific way, see [Sign binaries and packages](/previous-versions/windows/hardware/code-signing/dn789217(v=vs.85)).
During an entitlement check the Internet Sharing service loads the specified DLL and then call the `IsEntitled` function. The function must connect to the server to perform any required validation, then return one of the following **ICS\_ENTITLEMENT\_RESULT** enumeration values.
|Value|Description|
|--- |--- |
|**ENTITLEMENT_SUCCESS**|The device is allowed to connect to the server.|
|**ENTITLEMENT_FAILED**|The device is not allowed to connect to the server|
|**ENTITLEMENT_UNAVAILABLE**|The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.|
The definition for the **ICS\_ENTITLEMENT\_RESULT** is in the header file `IcsEntitlementh`, which ships with the Windows Adaptation Kit.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

39
windows/client-management/mdm/management-tool-for-windows-store-for-business.md
View File

@ -21,49 +21,52 @@ The Microsoft Store for Business has a new web service designed for the enterpri
Here's the list of the available capabilities:
- Support for enterprise identities Enables end users within an organization to use the identity that has been provided to them within the organization. This enables an organization to retain control of the application and eliminates the need for an organization to maintain another set of identities for their users.
- Support for enterprise identities Enables end users within an organization to use the identity that has been provided to them within the organization. This feature enables an organization to keep control of the application and eliminates the need for an organization to maintain another set of identities for their users.
- Bulk acquisition support of applications Enables an IT administrator to acquire applications in bulk. IT departments can now take control over the procurement and distribution of applications. Previously, users acquire applications manually.
- License reclaim and re-use Enables an enterprise to retain value in their purchases by allowing the ability to un-assign access to an application, and then reassign the application to another user. In Microsoft Store today, when a user with a Microsoft account leaves the organization he retains ownership of the application.
- Flexible distribution models for Microsoft Store apps Allows the enterprise to integrate with an organization's infrastructure the processes to distribute applications to devices that are connected to Store for Business services and to devices without connectivity to the Store for Business services.
- Custom Line of Business app support Enables management and distribution of enterprise applications through the Store for Business.
- Support for Windows desktop and mobile devices - The Store for Business supports both desktop and mobile devices.
- License reclaim and reuse Enables an enterprise to keep value in their purchases by allowing the ability to unassign access to an application, and then reassign the application to another user. In Microsoft Store today, when a user with a Microsoft account leaves the organization, they keep ownership of the application.
- Flexible distribution models for Microsoft Store apps Allows enterprises to integrate with an organization's infrastructure. It also allows the processes to distribute applications to devices that are connected to Store for Business services and to devices without connectivity to the Store for Business services.
- Custom Line of Business app support Enables management and distribution of enterprise applications through the Store for Business.
- Support for Windows client devices - The Store for Business supports client devices.
For additional information about Store for Business, see the TechNet topics in [Microsoft Store for Business](/microsoft-store/).
For more information, see [Microsoft Store for Business and Education](/microsoft-store/).
## Management services
The Store for Business provides services that enable a management tool to synchronize new and updated applications on behalf of an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provides several capabilities including providing application data, the ability to assign and reclaim applications, and the ability to download offline-licensed application packages.
The Store for Business provides services that enable a management tool to synchronize new and updated applications for an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provide several features, including providing application data, can assign and reclaim applications, and can download offline-licensed application packages.
- **Application data**: The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.
- **Application data**: The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This metadata includes:
- The application identifier that's used to deploy online license applications
- Artwork for an application that's used to create a company portal
- Localized descriptions for applications
- **Licensing models**:
- **Online-licensed** applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
- **Offline-licensed** applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.
- **Online-licensed** applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity, and rely on the store services on the device to get an application from the store. It's similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
- **Offline-licensed** applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed applications don't require connectivity to the store. It can be updated directly from the store if the device has connectivity, and the app update policies allow updates to be distributed using the store.
### Offline-licensed application distribution
The following diagram provides an overview of app distribution from acquisition of an offline-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices.
The following diagram is an overview of app distribution, from getting an offline-licensed application to distributing to clients. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices.
![business store offline app distribution.](images/businessstoreportalservices2.png)
### Online-licensed application distribution
The following diagram provides an overview of app distribution from acquisition of an online-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application prior to issuing the policy to install the application.
The following diagram is an overview of app distribution, from getting an online-licensed application to distributing to clients. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application before issuing the policy to install the application.
![business store online app distribution.](images/businessstoreportalservices3.png)
## Integrate with Azure Active Directory
The Store for Business services rely on Azure Active Directory for authentication. The management tool must be registered as an Azure AD application within an organization tenant to authenticate against the Store for Business.
The Store for Business services use Azure Active Directory for authentication. The management tool must be registered as an Azure AD application within an organization tenant to authenticate against the Store for Business.
To learn more about Azure AD and how to register your application within Azure AD, here are some topics to get you started:
The following articles have more information about Azure AD, and how to register your application within Azure AD:
- Adding an application to Azure Active Directory - [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
- Accessing other Web applications and configuring your application to access other APIs - [Integrating Applications with Azure Active Directory](/azure/active-directory/develop/quickstart-register-app)
- Authenticating to the Store for Business services via Azure AD - [Authentication Scenarios for Azure Active Directory](/azure/active-directory/develop/authentication-vs-authorization)
For code samples, see [Microsoft Azure Active Directory Samples and Documentation](https://go.microsoft.com/fwlink/p/?LinkId=623024) in GitHub. Patterns are very similar to [Daemon-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623025) and [ConsoleApp-GraphAPI-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623026).
For code samples, see [Microsoft Azure Active Directory Samples and Documentation](https://go.microsoft.com/fwlink/p/?LinkId=623024) in GitHub. Patterns are similar to [Daemon-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623025) and [ConsoleApp-GraphAPI-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623026).
## Configure your Azure AD application
@ -76,9 +79,9 @@ MTS requires calls to be authenticated using an Azure AD OAuth bearer token. The
Here are the details for requesting an authorization token:
- Login Authority = `https://login.windows.net/<TargetTenantId>`
- Resource/audience = `https://onestore.microsoft.com`: The token audience URI is meant as an identifier of the application for which the token is being generated, and it is not a URL for a service endpoint or a web-page.
- ClientId = your AAD application client id
- ClientSecret = your AAD application client secret/key
- Resource/audience = `https://onestore.microsoft.com`: The token audience URI is an application identifier for which the token is being generated. It's not a URL for a service endpoint or a web page.
- ClientId = your Azure AD application client ID
- ClientSecret = your Azure AD application client secret/key
## Using the management tool

175
windows/client-management/mdm/maps-csp.md
View File

@ -1,175 +0,0 @@
---
title: Maps CSP
description: The Maps configuration service provider (CSP) is used to configure the maps to download to the device. This CSP was added in Windows 10, version 1511.
ms.assetid: E5157296-7C31-4B08-8877-15304C9F6F26
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# Maps CSP
The Maps configuration service provider (CSP) is used to configure the maps to download to the device. This CSP was added in Windows 10, version 1511.
> **Note**  The Maps CSP is only supported in Windows 10 Mobile.
The following shows the Maps configuration service provider in tree format.
```
./Vendor/MSFT
Maps
----Packages
--------Package
------------Status
```
<a href="" id="maps"></a>**Maps**
Root node.
<a href="" id="packages"></a>**Packages**
Represents the map packages installed on the device.
<a href="" id="packages-package"></a>**Packages/**<strong>*Package*</strong>
A GUID that represents a map package. When you add a *Package* node, Windows adds it to the queue for download to the device. See the table below for the list of various maps and corresponding GUIDS.
<a href="" id="packages-package-status"></a>**Packages/*Package*/Status**
Represents the stat of the package installed on the device.
Valid values:
- 1 - the specified map package is queued for download.
- 2 - the specified map package is downloading or installed.
Supported operation is Get. If the map is neither queued, downloading, or installed, then you will get a 404 from a Get request.
## Examples
Here is a list of GUIDs of the most downloaded reqions.
| Region | GUID |
|-------------------------------|--------------------------------------|
| **Germany** | |
| Baden-Wuerttemberg | bab02b93-31c4-413a-b0fe-95a43e186d8c |
| Bavaria | dceea482-12e9-458e-9f0f-21def9a70ed7 |
| Berlin/Brandenburg | d8a80d64-07ef-4145-82e5-97910f1012df |
| Hesse | b28e2071-678b-4671-8eff-97e1c124f2fb |
| Lower Saxony/Bremen | e3ac0f21-7209-4f42-93bf-a0d12c7df2e5 |
| Mecklenburg-Western Pomerania | 75760c3d-e651-4b4a-abfb-c22e2bf1ed93 |
| North Rhine-Westphalia | 3846905a-891e-46a9-bc6a-53ec43edcab0 |
| Rhineland-Palatinate/Saarland | b4c18bb5-1bfe-4da8-a951-833046e37c90 |
| Saxony | 8899e1a8-fc79-4f3a-a591-85f15dfb1adb |
| Saxony-Anhalt | fdd9a3eb-4253-4c4b-b34d-66265775518d |
| Schleswig-Holstein/Hamburg | 74d868dd-99a7-492f-93ee-2b9c0a6b7ebc |
| Thuringia | 399a3387-a545-4249-9925-04660426ef1c |
| **United Kingdom** | |
| England | bf612bb8-4094-4158-ac06-96171fa7ffdf |
| Northern Ireland | 07f1d10f-cd72-4801-912a-7ba75ef5a627 |
| Scotland | cade44ea-4421-4023-9498-bf1f92025c9e |
| Wales | 869f9131-e3c7-41df-b106-9d787c633a10 |
| **USA** | |
| Alabama | 4fdaabf4-0160-4075-b7ad-7a8a71e69e7e |
| Alaska | f691e35f-a6b9-4d6c-b657-0f092d5f2f0e |
| Arizona | 4a179b8e-c993-4c4b-a242-51f69068d73b |
| Arkansas | 4d152d48-92aa-4696-b8b2-c0bbacd421b6 |
| California | 1859bd60-854a-40e3-9216-6e9cf1fcfdce |
| Colorado | d7b4de3d-370c-44dc-8dc7-dcafe676d5ff |
| Connecticut | 47fbdbe0-6c4d-4966-9a02-8decc94a5a1c |
| Delaware | b2882156-e75c-4bdf-8f9f-45cbfac6b915 |
| Florida | 1769c37c-f22a-4212-bd4b-47036693b034 |
| Georgia | ad34ec5d-d84c-42fa-bec1-fe6143d2e68d |
| Hawaii | 4019c8a1-0d8f-43c6-baa6-7ff5a7888f21 |
| Idaho | 008d318b-5004-4e13-a4a4-f520e7969026 |
| Illinois | a2c35505-daf5-432d-a4df-544a5c2987c2 |
| Indiana | 4c3b6963-e380-45a9-8b25-2bdc4ce1ab26 |
| Iowa | e07df1bc-01e6-4ffb-9a20-a142a6d38218 |
| Kansas | 3397467d-3fb9-4ded-b6ad-3ab7313f8ff1 |
| Kentucky | bc751324-a591-4ecd-b27a-af15b5518051 |
| Louisiana | d11a119c-9e25-40d9-aef9-ed2f161113b0 |
| Maine | db5e6077-f4dd-4548-b50e-ebd147d20c37 |
| Maryland | 17739d09-a70a-4a23-859c-eabc57418d2f |
| Massachusetts | d168d0d5-7683-45a4-afd4-767fd1359ad8 |
| Michigan | 0abd961b-9602-4a2e-b093-c43a2a80aab5 |
| Minnesota | 2946ed46-b171-4e38-9278-e33a6967f143 |
| Mississippi | 78a38671-a8e8-48f1-a23b-3576df370437 |
| Missouri | 5c885acb-5fdc-4305-84f1-e18d3163724b |
| Montana | baf84353-89cf-4abd-9226-b932fd2294a4 |
| Nebraska | e389c2f8-41a0-4121-a654-77c52fbd61ed |
| Nevada | 8c321bdc-8e37-4be6-96e0-1d85c77c89f0 |
| New Hampshire | 38c35895-98ce-4ee4-bb47-7291b5e8543a |
| New Jersey | 70b1d647-ff93-415f-b2be-da06ee800516 |
| New Mexico | b434ea36-03ca-405c-8332-044b602e7b49 |
| New York | 93f2ba61-e03d-4b30-9be3-6e10728302d4 |
| North Carolina | d07208ed-50da-42f2-bade-cb26f283e113 |
| North Dakota | 8c6f0ebb-f282-431e-b4be-8faca5f12be0 |
| Ohio | 36553594-8197-497f-911e-f1cd976c2e00 |
| Oklahoma | 4e3a77ff-9dca-4add-93e9-2a9d6bc244a6 |
| Oregon | cf99c8ce-1b11-4972-9e12-f8c2717ade98 |
| Pennsylvania | cb7c0dea-1f9d-41ae-b81c-e683488d260c |
| Rhode Island | 737c2fca-efd3-4f5a-9359-0c301ecc0813 |
| South Carolina | c0a5542f-5efb-49ae-9d80-3914faa4cf77 |
| South Dakota | dbd8268b-7502-4f71-ba1c-2d452d496b18 |
| Tennessee | b51f7ae4-9eac-4a2b-b605-c2f9736b3481 |
| Texas | 4cc26a23-596f-4164-b9c2-ce0267b1ada7 |
| Utah | 50b2e947-e7b3-41b2-b595-8446f3f425ca |
| Vermont | a888d9cc-9f2a-4f18-a00a-15fa860d355d |
| Virginia | bfb4cce0-8fa5-4e70-a3c7-a69adce17fc9 |
| Washington | 1734acf4-3f87-47db-aec2-2b24c08f5a60 |
| Washington D.C. | 271328d6-8409-4975-ba8c-ba44e02fd3e0 |
| West Virginia | 638b6499-749b-4908-bfe6-1b9dcf5eb675 |
| Wisconsin | 0b5a98f7-489d-4a07-859b-4e01fe9e1b32 |
| Wyoming | 360e0c25-a3bb-4e29-939a-3631eae46e9a |
Here is an example queuing a map package of New York for download.
```xml
<SyncML>
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Maps/Packages/93f2ba61-e03d-4b30-9be3-6e10728302d4</LocURI>
</Target>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
Here is an example that gets the status of the New York map package on the device.
```xml
<SyncML>
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Maps/Packages/93f2ba61-e03d-4b30-9be3-6e10728302d4/Status</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```

125
windows/client-management/mdm/maps-ddf-file.md
View File

@ -1,125 +0,0 @@
---
title: Maps DDF file
description: This topic shows the OMA DM device description framework (DDF) for the Maps configuration service provider. This CSP was added in Windows 10, version 1511.
ms.assetid: EF22DBB6-0578-4FD0-B8A6-19DC03288FAF
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/05/2017
---
# Maps DDF file
This topic shows the OMA DM device description framework (DDF) for the Maps configuration service provider. This CSP was added in Windows 10, version 1511.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>Maps</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Packages</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Package</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

36
windows/client-management/mdm/networkproxy-csp.md
View File

@ -15,21 +15,16 @@ manager: dansimp
The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703.
> [!NOTE]
> In Windows 10 Mobile, the NetworkProxy CSP only works in ethernet connections. Use the WiFi CSP to configure per-network proxy for Wi-Fi connections in mobile devices.
How the settings work:
<ol>
<li>If auto-detect is enabled, the system tries to find the path to a proxy auto config (PAC) script and download it.</li>
<li>If #1 fails and a setup script is specified, the system tries to download the explicitly configured PAC script.</li>
<li>If #2 fails and a proxy server is specified, the system tries to use the explicitly configured proxy server.</li>
<li>Otherwise, the system tries to reach the site directly.</li>
</ol>
- If auto-detect is enabled, the system tries to find the path to a proxy auto config (PAC) script and download it.
- If #1 fails and a setup script is specified, the system tries to download the explicitly configured PAC script.
- If #2 fails and a proxy server is specified, the system tries to use the explicitly configured proxy server.
- Otherwise, the system tries to reach the site directly.
The following shows the NetworkProxy configuration service provider in tree format.
```
```console
./Vendor/MSFT
NetworkProxy
----ProxySettingsPerUser
@ -40,8 +35,9 @@ NetworkProxy
--------Exceptions
--------UseProxyForLocalAddresses
```
<a href="" id="networkproxy"></a>**./Vendor/MSFT/NetworkProxy**
The root node for the NetworkProxy configuration service provider..
The root node for the NetworkProxy configuration service provider.
<a href="" id="proxysettingsperuser"></a>**ProxySettingsPerUser**
Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide.
@ -55,10 +51,9 @@ Supported operations are Add, Get, Replace, and Delete.
Automatically detect settings. If enabled, the system tries to find the path to a PAC script.
Valid values:
<ul>
<li>0 - Disabled</li>
<li>1 (default) - Enabled</li>
</ul>
- 0 - Disabled
- 1 (default) - Enabled
The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
@ -84,17 +79,18 @@ The data type is string. Supported operations are Get and Replace. Starting in W
<a href="" id="useproxyforlocaladdresses"></a>**UseProxyForLocalAddresses**
Specifies whether the proxy server should be used for local (intranet) addresses. 
Valid values:
<ul>
<li>0 (default) - Use proxy server for local addresses</li>
<li>1 - Do not use proxy server for local addresses</li>
</ul>
- 0 (default) - Use proxy server for local addresses
- 1 - Do not use proxy server for local addresses
The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
## Configuration Example
These generic code portions for the options **ProxySettingsPerUser**, **Autodetect**, and **SetupScriptURL** can be used for a specific operation, for example Replace. Only enter the portion of code needed in the **Replace** section.
```xml
<Replace>
<CmdID>1</CmdID>

4
windows/client-management/mdm/nodecache-ddf-file.md
View File

@ -57,7 +57,7 @@ The XML below is the current version for this CSP.
<Add />
<Delete />
</AccessType>
<Description>Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache.</Description>
<Description>Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process.</Description>
<DFFormat>
<node />
</DFFormat>
@ -282,7 +282,7 @@ The XML below is the current version for this CSP.
<Add />
<Delete />
</AccessType>
<Description>Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache.</Description>
<Description>Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process.</Description>
<DFFormat>
<node />
</DFFormat>

2
windows/client-management/mdm/oma-dm-protocol-support.md
View File

@ -52,7 +52,7 @@ Common elements are used by other OMA DM element types. The following table list
|MsgID|Specifies a unique identifier for an OMA DM session message.|
|MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.|
|RespURI|Specifies the URI that the recipient must use when sending a response to this message.|
|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.<div class="alert">**Note**<br> If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.</div>|
|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.<div class="alert">**Note**<br> If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows 10, the device client returns 2 bytes.</div>|
|Source|Specifies the message source address.|
|SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.|
|Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.|

2
windows/client-management/mdm/passportforwork-csp.md
View File

@ -96,7 +96,7 @@ Node for defining the Windows Hello for Business policy settings.
<a href="" id="tenantid-policies-usepassportforwork"></a>***TenantId*/Policies/UsePassportForWork**
Boolean value that sets Windows Hello for Business as a method for signing into Windows.
Default value is true. If you set this policy to false, the user cannot provision Windows Hello for Business except on Azure Active Directory joined mobile phones where provisioning is required.
Default value is true. If you set this policy to false, the user cannot provision Windows Hello for Business.
Supported operations are Add, Get, Delete, and Replace.

88
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -1131,8 +1131,96 @@ ms.date: 10/08/2020
- [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name)
- [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state)
- [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state)
- [ADMX_TerminalServer/TS_AUTO_RECONNECT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_auto_reconnect)
- [ADMX_TerminalServer/TS_CAMERA_REDIRECTION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_camera_redirection)
- [ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_certificate_template_policy)
- [ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_1)
- [ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_2)
- [ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_1)
- [ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_2)
- [ADMX_TerminalServer/TS_CLIENT_AUDIO](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio)
- [ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_capture)
- [ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_quality)
- [ADMX_TerminalServer/TS_CLIENT_CLIPBOARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_clipboard)
- [ADMX_TerminalServer/TS_CLIENT_COM](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_com)
- [ADMX_TerminalServer/TS_CLIENT_DEFAULT_M](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_default_m)
- [ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_hardware_mode)
- [ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_password_saving_1)
- [ADMX_TerminalServer/TS_CLIENT_LPT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_lpt)
- [ADMX_TerminalServer/TS_CLIENT_PNP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_pnp)
- [ADMX_TerminalServer/TS_CLIENT_PRINTER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_printer)
- [ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_1)
- [ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_2)
- [ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_turn_off_udp)
- [ADMX_TerminalServer/TS_COLORDEPTH](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_colordepth)
- [ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_delete_roaming_user_profiles)
- [ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_disable_remote_desktop_wallpaper)
- [ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_dx_use_full_hwgpu)
- [ADMX_TerminalServer/TS_EASY_PRINT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print)
- [ADMX_TerminalServer/TS_EASY_PRINT_User](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print_user)
- [ADMX_TerminalServer/TS_EnableVirtualGraphics](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_enablevirtualgraphics)
- [ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_fallbackprintdrivertype)
- [ADMX_TerminalServer/TS_FORCIBLE_LOGOFF](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_forcible_logoff)
- [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable)
- [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method)
- [ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_server)
- [ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_join_session_directory)
- [ADMX_TerminalServer/TS_KEEP_ALIVE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_keep_alive)
- [ADMX_TerminalServer/TS_LICENSE_SECGROUP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_secgroup)
- [ADMX_TerminalServer/TS_LICENSE_SERVERS](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_servers)
- [ADMX_TerminalServer/TS_LICENSE_TOOLTIP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_tooltip)
- [ADMX_TerminalServer/TS_LICENSING_MODE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_licensing_mode)
- [ADMX_TerminalServer/TS_MAX_CON_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_max_con_policy)
- [ADMX_TerminalServer/TS_MAXDISPLAYRES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxdisplayres)
- [ADMX_TerminalServer/TS_MAXMONITOR](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxmonitor)
- [ADMX_TerminalServer/TS_NoDisconnectMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nodisconnectmenu)
- [ADMX_TerminalServer/TS_NoSecurityMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nosecuritymenu)
- [ADMX_TerminalServer/TS_PreventLicenseUpgrade](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_preventlicenseupgrade)
- [ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_promt_creds_client_comp)
- [ADMX_TerminalServer/TS_RADC_DefaultConnection](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_radc_defaultconnection)
- [ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_rdsappx_waitforregistration)
- [ADMX_TerminalServer/TS_RemoteControl_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_1)
- [ADMX_TerminalServer/TS_RemoteControl_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_2)
- [ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotedesktopvirtualgraphics)
- [ADMX_TerminalServer/TS_SD_ClustName](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_clustname)
- [ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_expose_address)
- [ADMX_TerminalServer/TS_SD_Loc](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_loc)
- [ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_security_layer_policy)
- [ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_network_detect)
- [ADMX_TerminalServer/TS_SELECT_TRANSPORT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_transport)
- [ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_advanced_remotefx_remoteapp)
- [ADMX_TerminalServer/TS_SERVER_AUTH](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_auth)
- [ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc_hw_encode_preferred)
- [ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc444_mode_preferred)
- [ADMX_TerminalServer/TS_SERVER_COMPRESSOR](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_compressor)
- [ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_image_quality)
- [ADMX_TerminalServer/TS_SERVER_LEGACY_RFX](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_legacy_rfx)
- [ADMX_TerminalServer/TS_SERVER_PROFILE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_profile)
- [ADMX_TerminalServer/TS_SERVER_VISEXP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_visexp)
- [ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_wddm_graphics_driver)
- [ADMX_TerminalServer/TS_Session_End_On_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_1)
- [ADMX_TerminalServer/TS_Session_End_On_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_2)
- [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_1)
- [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_2)
- [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_1)
- [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_2)
- [ADMX_TerminalServer/TS_SESSIONS_Limits_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limits_1)
- [ADMX_TerminalServer/TS_SESSIONS_Limits_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limits_2)
- [ADMX_TerminalServer/TS_SINGLE_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_single_session)
- [ADMX_TerminalServer/TS_SMART_CARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_smart_card)
- [ADMX_TerminalServer/TS_START_PROGRAM_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_1)
- [ADMX_TerminalServer/TS_START_PROGRAM_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_2)
- [ADMX_TerminalServer/TS_TEMP_DELETE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_delete)
- [ADMX_TerminalServer/TS_TEMP_PER_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_per_session)
- [ADMX_TerminalServer/TS_TIME_ZONE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_time_zone)
- [ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_tscc_permissions_policy)
- [ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_turnoff_singleapp)
- [ADMX_TerminalServer/TS_UIA](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_uia)
- [ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_usb_redirection_disable)
- [ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_authentication_policy)
- [ADMX_TerminalServer/TS_USER_HOME](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_home)
- [ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_mandatory_profiles)
- [ADMX_TerminalServer/TS_USER_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_profiles)
- [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails)
- [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders)
- [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders)

349
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -4068,12 +4068,269 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
### ADMX_TerminalServer policies
<dl>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_auto_reconnect" id="admx-terminalserver-ts_auto_reconnect">ADMX_TerminalServer/TS_AUTO_RECONNECT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_camera_redirection" id="admx-terminalserver-ts_camera_redirection">ADMX_TerminalServer/TS_CAMERA_REDIRECTION</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_certificate_template_policy" id="admx-terminalserver-ts_certificate_template_policy">ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_1" id="admx-terminalserver-ts_client_allow_signed_files_1">ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_2" id="admx-terminalserver-ts_client_allow_signed_files_2">ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_1" id="admx-terminalserver-ts_client_allow_unsigned_files_1">ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_2" id="admx-terminalserver-ts_client_allow_unsigned_files_2">ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio" id="admx-terminalserver-ts_client_audio">ADMX_TerminalServer/TS_CLIENT_AUDIO</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_capture" id="admx-terminalserver-ts_client_audio_capture">ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_quality" id="admx-terminalserver-ts_client_audio_quality">ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_clipboard" id="admx-terminalserver-ts_client_clipboard">ADMX_TerminalServer/TS_CLIENT_CLIPBOARD</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_com" id="admx-terminalserver-ts_client_com">ADMX_TerminalServer/TS_CLIENT_COM</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_default_m" id="admx-terminalserver-ts_client_default_m">ADMX_TerminalServer/TS_CLIENT_DEFAULT_M</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_hardware_mode" id="admx-terminalserver-ts_client_disable_hardware_mode">ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_password_saving_1" id="admx-terminalserver-ts_client_disable_password_saving_1">ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_lpt" id="admx-terminalserver-ts_client_lpt">ADMX_TerminalServer/TS_CLIENT_LPT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_pnp" id="admx-terminalserver-ts_client_pnp">ADMX_TerminalServer/TS_CLIENT_PNP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_printer" id="admx-terminalserver-ts_client_printer">ADMX_TerminalServer/TS_CLIENT_PRINTER</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_1" id="admx-terminalserver-ts_client_trusted_certificate_thumbprints_1">ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_2" id="admx-terminalserver-ts_client_trusted_certificate_thumbprints_2">ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_turn_off_udp" id="admx-terminalserver-ts_client_turn_off_udp">ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_colordepth" id="admx-terminalserver-ts_colordepth">ADMX_TerminalServer/TS_COLORDEPTH</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_delete_roaming_user_profiles" id="admx-terminalserver-ts_delete_roaming_user_profiles">ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_disable_remote_desktop_wallpaper" id="admx-terminalserver-ts_disable_remote_desktop_wallpaper">ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_dx_use_full_hwgpu" id="admx-terminalserver-ts_dx_use_full_hwgpu">ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print" id="admx-terminalserver-ts_easy_print">ADMX_TerminalServer/TS_EASY_PRINT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print_user" id="admx-terminalserver-ts_easy_print_user">ADMX_TerminalServer/TS_EASY_PRINT_User</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_enablevirtualgraphics" id="admx-terminalserver-ts_enablevirtualgraphics">ADMX_TerminalServer/TS_EnableVirtualGraphics</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_fallbackprintdrivertype" id="admx-terminalserver-ts_fallbackprintdrivertype">ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_forcible_logoff" id="admx-terminalserver-ts_forcible_logoff">ADMX_TerminalServer/TS_FORCIBLE_LOGOFF</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable" id="admx-terminalserver-ts_gateway_policy_enable">ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method" id="admx-terminalserver-ts_gateway_policy_auth_method">ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_server" id="admx-terminalserver-ts_gateway_policy_server">ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_join_session_directory" id="admx-terminalserver-ts_join_session_directory">ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_keep_alive" id="admx-terminalserver-ts_keep_alive">ADMX_TerminalServer/TS_KEEP_ALIVE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_secgroup" id="admx-terminalserver-ts_license_secgroup">ADMX_TerminalServer/TS_LICENSE_SECGROUP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_servers" id="admx-terminalserver-ts_license_servers">ADMX_TerminalServer/TS_LICENSE_SERVERS</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_tooltip" id="admx-terminalserver-ts_license_tooltip">ADMX_TerminalServer/TS_LICENSE_TOOLTIP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_licensing_mode" id="admx-terminalserver-ts_licensing_mode">ADMX_TerminalServer/TS_LICENSING_MODE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_max_con_policy" id="admx-terminalserver-ts_max_con_policy">ADMX_TerminalServer/TS_MAX_CON_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxdisplayres" id="admx-terminalserver-ts_maxdisplayres">ADMX_TerminalServer/TS_MAXDISPLAYRES</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxmonitor" id="admx-terminalserver-ts_maxmonitor">ADMX_TerminalServer/TS_MAXMONITOR</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nodisconnectmenu" id="admx-terminalserver-ts_nodisconnectmenu">ADMX_TerminalServer/TS_NoDisconnectMenu</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nosecuritymenu" id="admx-terminalserver-ts_nosecuritymenu">ADMX_TerminalServer/TS_NoSecurityMenu</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_preventlicenseupgrade" id="admx-terminalserver-ts_preventlicenseupgrade">ADMX_TerminalServer/TS_PreventLicenseUpgrade</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_promt_creds_client_comp" id="admx-terminalserver-ts_promt_creds_client_comp">ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_radc_defaultconnection" id="admx-terminalserver-ts_radc_defaultconnection">ADMX_TerminalServer/TS_RADC_DefaultConnection</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_rdsappx_waitforregistration" id="admx-terminalserver-ts_rdsappx_waitforregistration">ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_1" id="admx-terminalserver-ts_remotecontrol_1">ADMX_TerminalServer/TS_RemoteControl_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_2" id="admx-terminalserver-ts_remotecontrol_2">ADMX_TerminalServer/TS_RemoteControl_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotedesktopvirtualgraphics" id="admx-terminalserver-ts_remotedesktopvirtualgraphics">ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_clustname" id="admx-terminalserver-ts_sd_clustname">ADMX_TerminalServer/TS_SD_ClustName</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_expose_address" id="admx-terminalserver-ts_sd_expose_address">ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_loc" id="admx-terminalserver-ts_sd_loc">ADMX_TerminalServer/TS_SD_Loc</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_security_layer_policy" id="admx-terminalserver-ts_security_layer_policy">ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_network_detect" id="admx-terminalserver-ts_select_network_detect">ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_transport" id="admx-terminalserver-ts_select_transport">ADMX_TerminalServer/TS_SELECT_TRANSPORT</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_advanced_remotefx_remoteapp" id="admx-terminalserver-ts_server_advanced_remotefx_remoteapp">ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_auth" id="admx-terminalserver-ts_server_auth">ADMX_TerminalServer/TS_SERVER_AUTH</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc_hw_encode_preferred" id="admx-terminalserver-ts_server_avc_hw_encode_preferred">ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc444_mode_preferred" id="admx-terminalserver-ts_server_avc444_mode_preferred">ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_compressor" id="admx-terminalserver-ts_server_compressor">ADMX_TerminalServer/TS_SERVER_COMPRESSOR</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_image_quality" id="admx-terminalserver-ts_server_image_quality">ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_legacy_rfx" id="admx-terminalserver-ts_server_legacy_rfx">ADMX_TerminalServer/TS_SERVER_LEGACY_RFX</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_profile" id="admx-terminalserver-ts_server_profile">ADMX_TerminalServer/TS_SERVER_PROFILE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_visexp" id="admx-terminalserver-ts_server_visexp">ADMX_TerminalServer/TS_SERVER_VISEXP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_wddm_graphics_driver" id="admx-terminalserver-ts_server_wddm_graphics_driver">ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_1" id="admx-terminalserver-ts_session_end_on_limit_1">ADMX_TerminalServer/TS_Session_End_On_Limit_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_2" id="admx-terminalserver-ts_session_end_on_limit_2">ADMX_TerminalServer/TS_Session_End_On_Limit_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_1" id="admx-terminalserver-ts_sessions_disconnected_timeout_1">ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_2" id="admx-terminalserver-ts_sessions_disconnected_timeout_2">ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2</a>
</dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_1" id="admx-terminalserver-ts_sessions_idle_limit_1">ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_2" id="admx-terminalserver-ts_sessions_idle_limit_2">ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_single_session" id="admx-terminalserver-ts_single_session">ADMX_TerminalServer/TS_SINGLE_SESSION</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_smart_card" id="admx-terminalserver-ts_smart_card">ADMX_TerminalServer/TS_SMART_CARD</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_1" id="admx-terminalserver-ts_start_program_1">ADMX_TerminalServer/TS_START_PROGRAM_1</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_2" id="admx-terminalserver-ts_start_program_2">ADMX_TerminalServer/TS_START_PROGRAM_2</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_delete" id="admx-terminalserver-ts_temp_delete">ADMX_TerminalServer/TS_TEMP_DELETE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_per_session" id="admx-terminalserver-ts_temp_per_session">ADMX_TerminalServer/TS_TEMP_PER_SESSION</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_time_zone" id="admx-terminalserver-ts_time_zone">ADMX_TerminalServer/TS_TIME_ZONE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_tscc_permissions_policy" id="admx-terminalserver-ts_tscc_permissions_policy">ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_turnoff_singleapp" id="admx-terminalserver-ts_turnoff_singleapp">ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_uia" id="admx-terminalserver-ts_uia">ADMX_TerminalServer/TS_UIA</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_usb_redirection_disable" id="admx-terminalserver-ts_usb_redirection_disable">ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_authentication_policy" id="admx-terminalserver-ts_user_authentication_policy">ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_home" id="admx-terminalserver-ts_user_home">ADMX_TerminalServer/TS_USER_HOME</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_mandatory_profiles" id="admx-terminalserver-ts_user_mandatory_profiles">ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES</a>
</dd>
<dd>
<a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_profiles" id="admx-terminalserver-ts_user_profiles">ADMX_TerminalServer/TS_USER_PROFILES</a>
</dd>
<dl>
### ADMX_Thumbnails policies
@ -6181,6 +6438,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### EAP policies
<dl>
<dd>
<a href="./policy-csp-eap.md#eap-allowtls1_3" id="eap-allowtls1_3">EAP/AllowTLS1_3</a>
</dd>
</dl>
### Education policies
<dl>
@ -6371,6 +6636,20 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### HumanPresence policies
<dl>
<dd>
<a href="./policy-csp-humanpresence.md#humanpresence-forceinstantlock" id="humanpresence-forceinstantlock">HumanPresence/ForceInstantLock</a>
</dd>
<dd>
<a href="./policy-csp-humanpresence.md#humanpresence-forceinstantwake" id="humanpresence-forceinstantwake">HumanPresence/ForceInstantWake</a>
</dd>
<dd>
<a href="./policy-csp-humanpresence.md#humanpresence-forcelocktimeout" id="humanpresence-forcelocktimeout">HumanPresence/ForceLockTimeout</a>
</dd>
</dl>
### InternetExplorer policies
<dl>
@ -8294,6 +8573,18 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-storage.md#storage-removablediskdenywriteaccess" id="storage-removablediskdenywriteaccess">Storage/RemovableDiskDenyWriteAccess</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-wpddevicesdenyreadaccessperdevice" id="storage-wpddevicesdenyreadaccessperdevice">Storage/WPDDevicesDenyReadAccessPerDevice</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-wpddevicesdenyreadaccessperuser" id="storage-wpddevicesdenyreadaccessperuser">Storage/WPDDevicesDenyReadAccessPerUser</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-wpddevicesdenywriteaccessperdevice" id="storage-wpddevicesdenywriteaccessperdevice">Storage/WPDDevicesDenyWriteAccessPerDevice</a>
</dd>
<dd>
<a href="./policy-csp-storage.md#storage-wpddevicesdenywriteaccessperuser" id="storage-wpddevicesdenywriteaccessperuser">Storage/WPDDevicesDenyWriteAccessPerUser</a>
</dd>
</dl>
### System policies
@ -8359,6 +8650,12 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-system.md#system-feedbackhubalwayssavediagnosticslocally" id="system-feedbackhubalwayssavediagnosticslocally">System/FeedbackHubAlwaysSaveDiagnosticsLocally</a>
</dd>
<dd>
<a href="./policy-csp-system.md#system-limitdiagnosticlogcollection" id="system-limitdiagnosticlogcollection">System/LimitDiagnosticLogCollection</a>
</dd>
<dd>
<a href="./policy-csp-system.md#system-limitdumpcollection" id="system-limitdumpcollection">System/LimitDumpCollection</a>
</dd>
<dd>
<a href="./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics" id="system-limitenhanceddiagnosticdatawindowsanalytics">System/LimitEnhancedDiagnosticDataWindowsAnalytics</a>
</dd>
@ -8448,6 +8745,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-textinput.md#textinput-allowlinguisticdatacollection" id="textinput-allowlinguisticdatacollection">TextInput/AllowLinguisticDataCollection</a>
</dd>
<dd>
<a href="./policy-csp-textinput.md#textinput-allowtextinputsuggestionupdate"id="textinput-allowtextinputsuggestionupdate">TextInput/AllowTextInputSuggestionUpdate</a>
</dd>
<dd>
<a href="./policy-csp-textinput.md#textinput-configurejapaneseimeversion"id="textinput-configurejapaneseimeversion">TextInput/ConfigureJapaneseIMEVersion</a>
</dd>
@ -8498,9 +8798,18 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
### TimeLanguageSettings policies
<dl>
<dd>
<a href="./policy-csp-timelanguagesettings.md#timelanguagesettings-blockcleanupofunusedpreinstalledlangpacks" id="timelanguagesettings-blockcleanupofunusedpreinstalledlangpacks">TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks</a>
</dd>
<dd>
<a href="./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone" id="timelanguagesettings-configuretimezone">TimeLanguageSettings/ConfigureTimeZone</a>
</dd>
<dd>
<a href="./policy-csp-timelanguagesettings.md#timelanguagesettings-machineuilanguageoverwrite" id="timelanguagesettings-machineuilanguageoverwrite">TimeLanguageSettings/MachineUILanguageOverwrite</a>
</dd>
<dd>
<a href="./policy-csp-timelanguagesettings.md#timelanguagesettings-restrictlanguagepacksandfeaturesinstall" id="timelanguagesettings-restrictlanguagepacksandfeaturesinstall">TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall</a>
</dd>
</dl>
### Troubleshooting policies
@ -8565,6 +8874,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-update.md#update-configuredeadlinegraceperiod" id="update-configuredeadlinegraceperiod">Update/ConfigureDeadlineGracePeriod</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-configuredeadlinegraceperiodforfeatureupdates" id="update-configuredeadlinegraceperiodforfeatureupdates">Update/ConfigureDeadlineGracePeriodForFeatureUpdates</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-configuredeadlinenoautoreboot" id="update-configuredeadlinenoautoreboot">Update/ConfigureDeadlineNoAutoReboot</a>
</dd>
@ -8592,6 +8904,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-update.md#update-disablewufbsafeguards" id="update-disablewufbsafeguards">Update/DisableWUfBSafeguards</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-donotenforceenterprisetlscertpinningforupdatedetection" id="update-donotenforceenterprisetlscertpinningforupdatedetection">Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-engagedrestartdeadline" id="update-engagedrestartdeadline">Update/EngagedRestartDeadline</a>
</dd>
@ -8688,6 +9003,18 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-update.md#update-setedurestart" id="update-setedurestart">Update/SetEDURestart</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-setpolicydrivenupdatesourcefordriver" id="update-setpolicydrivenupdatesourcefordriver">Update/SetPolicyDrivenUpdateSourceForDriver</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-setpolicydrivenupdatesourceforfeature" id="update-setpolicydrivenupdatesourceforfeature">Update/SetPolicyDrivenUpdateSourceForFeature</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-setpolicydrivenupdatesourceforother" id="update-setpolicydrivenupdatesourceforother">Update/SetPolicyDrivenUpdateSourceForOther</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-setpolicydrivenupdatesourceforquality" id="update-setpolicydrivenupdatesourceforquality">Update/SetPolicyDrivenUpdateSourceForQuality</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-setproxybehaviorforupdatedetection"id="update-setproxybehaviorforupdatedetection">Update/SetProxyBehaviorForUpdateDetection</a>
</dd>
@ -8798,6 +9125,17 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### VirtualizationBasedTechnology policies
<dl>
<dd>
<a href="./policy-csp-virtualizationbasedtechnology.md#virtualizationbasedtechnology-hypervisorenforcedcodeintegrity" id="virtualizationbasedtechnology-hypervisorenforcedcodeintegrity">VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity</a>
</dd>
<dd>
<a href="./policy-csp-virtualizationbasedtechnology.md#virtualizationbasedtechnology-requireuefimemoryattributestable" id="virtualizationbasedtechnology-requireuefimemoryattributestable">VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable</a>
</dd>
</dl>
### Wifi policies
<dl>
@ -8824,6 +9162,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### WindowsAutoPilot policies
<dl>
<dd>
<a href="./policy-csp-windowsautopilot.md#windowsautopilot-enableagilitypostenrollment" id="windowsautopilot-enableagilitypostenrollment">WindowsAutoPilot/EnableAgilityPostEnrollment</a>
</dd>
</dl>
### WindowsConnectionManager policies
<dl>
@ -8980,6 +9326,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowmdnsdiscovery" id="wirelessdisplay-allowmdnsdiscovery">WirelessDisplay/AllowMdnsDiscovery</a>
</dd>
<dd>
<a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowmovementdetectiononinfrastructure" id="wirelessdisplay-allowmovementdetectiononinfrastructure">WirelessDisplay/AllowMovementDetectionOnInfrastructure</a>
</dd>
<dd>
<a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectionfrompc" id="wirelessdisplay-allowprojectionfrompc">WirelessDisplay/AllowProjectionFromPC</a>
</dd>

6
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -47,8 +47,6 @@ manager: dansimp
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
|Mobile|Yes|Yes|
|Mobile Enterprise|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -94,8 +92,6 @@ The following list shows the supported values:
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
|Mobile|Yes|Yes|
|Mobile Enterprise|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -138,8 +134,6 @@ The following list shows the supported values:
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
|Mobile|Yes|Yes|
|Mobile Enterprise|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>

4
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/02/2020
ms.date: 01/03/2022
ms.reviewer:
manager: dansimp
---
@ -3693,6 +3693,8 @@ ADMX Info:
<!--Description-->
This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
We do not recommend setting the value to less than 2 days to prevent machines from going out of date.
If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update.
If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update.

2
windows/client-management/mdm/policy-csp-admx-taskbar.md
View File

@ -1115,5 +1115,5 @@ ADMX Info:
<!--/Policy-->
<hr/>
p<!--/Policies-->
<!--/Policies-->

4732
windows/client-management/mdm/policy-csp-admx-terminalserver.md
View File

File diff suppressed because it is too large Load Diff

59
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -20,6 +20,9 @@ manager: dansimp
## ApplicationManagement policies
<dl>
<dd>
<a href="#applicationmanagement-allowautomaticapparchiving">ApplicationManagement/AllowAutomaticAppArchiving</a>
</dd>
<dd>
<a href="#applicationmanagement-allowalltrustedapps">ApplicationManagement/AllowAllTrustedApps</a>
</dd>
@ -65,6 +68,62 @@ manager: dansimp
</dl>
<hr/>
<!--Policy-->
<a href="" id="applicationmanagement-allowautomaticapparchiving"></a>**ApplicationManagement/AllowAutomaticAppArchiving**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether the system can archive infrequently used apps.
- If you enable this policy setting, then the system will periodically check for and archive infrequently used apps.
- If you disable this policy setting, then the system will not archive any apps.
If you do not configure this policy setting (default), then the system will follow default behavior, which is to periodically check for and archive infrequently used apps, and the user will be able to configure this setting themselves.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Allow all trusted apps to install*
- GP name: *AllowAutomaticAppArchiving*
- GP path: *Windows Components/App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Explicit disable.
- 1 - Explicit enable.
- 65535 (default) - Not configured.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->

52
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -39,6 +39,9 @@ manager: dansimp
<dd>
<a href="#authentication-configurewebsigninallowedurls">Authentication/ConfigureWebSignInAllowedUrls</a>
</dd>
<dd>
<a href="#authentication-configurewebcamaccessdomainnames">Authentication/ConfigureWebcamAccessDomainNames</a>
</dd>
<dd>
<a href="#authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a>
</dd>
@ -307,6 +310,55 @@ Specifies the list of domains that are allowed to be navigated to in AAD PIN res
**Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com".
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="authentication-configurewebcamaccessdomainnames"></a>**Authentication/ConfigureWebcamAccessDomainNames**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Specifies the list of domain names that are allowed to access the webcam in Web Sign-in Windows device sign-in scenarios.
Web Sign-in is only supported on Azure AD Joined PCs.
**Example**: If your organization federates to "Contoso IDP" and your Web Sign-in portal at "signinportal.contoso.com" requires webcam access, the policy value should be "contoso.com".
<!--/Description-->
<!--SupportedValues-->

30
windows/client-management/mdm/policy-csp-browser.md
View File

@ -415,7 +415,7 @@ Most restricted value: 0
<!--Validation-->
To verify AllowCookies is set to 0 (not allowed):
1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
1. Open Microsoft Edge.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Cookies** is disabled.
@ -453,8 +453,6 @@ To verify AllowCookies is set to 0 (not allowed):
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
[!INCLUDE [allow-developer-tools-shortdesc](../includes/allow-developer-tools-shortdesc.md)]
@ -530,7 +528,7 @@ Most restricted value: 1
<!--Validation-->
To verify AllowDoNotTrack is set to 0 (not allowed):
1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile.
1. Open Microsoft Edge.
2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Send Do Not Track requests** is grayed out.
@ -2223,11 +2221,6 @@ Most restricted value: 0
[!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../includes/configure-enterprise-mode-site-list-shortdesc.md)]
> [!NOTE]
> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -2314,9 +2307,6 @@ Supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only available for Windows for desktop and not supported in Windows Mobile.
[!INCLUDE [configure-start-pages-shortdesc](../includes/configure-start-pages-shortdesc.md)]
@ -2813,8 +2803,6 @@ Supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)]
@ -2931,10 +2919,6 @@ ADMX Info:
[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../includes/send-all-intranet-sites-to-ie-shortdesc.md)]
> [!NOTE]
> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -3163,10 +3147,6 @@ Supported values:
<!--Description-->
[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../includes/show-message-when-opening-sites-in-ie-shortdesc.md)]
> [!NOTE]
> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -3221,9 +3201,6 @@ This policy allows Enterprise Admins to turn off the notification for company de
By default, a notification will be presented to the user informing them of this upon application startup.
With this policy, you can either allow (default) or suppress this notification.
> [!NOTE]
> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -3273,9 +3250,6 @@ Supported values:
[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
> [!NOTE]
> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:

4
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -105,7 +105,7 @@ manager: dansimp
Allows the user to enable Bluetooth or restrict access.
> [!NOTE]
>  This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile.
>  This value is not supported in Windows 10.
If this is not set or it is deleted, the default value of 2 (Allow) is used.
@ -217,7 +217,7 @@ The following list shows the supported values:
<!--Validation-->
To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
To validate on mobile devices, do the following:
To validate on devices, do the following:
1. Go to Cellular & SIM.
2. Click on the SIM (next to the signal strength icon) and select **Properties**.

5
windows/client-management/mdm/policy-csp-defender.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 01/08/2020
ms.date: 12/29/2021
ms.reviewer:
manager: dansimp
ms.collection: highpri
@ -571,6 +571,9 @@ The following list shows the supported values:
<!--/SupportedValues-->
<!--/Policy-->
> [!IMPORTANT]
> AllowOnAccessProtection is officially being deprecated.
<hr/>
<!--Policy-->

34
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -152,7 +152,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.
@ -201,7 +201,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
@ -585,7 +585,7 @@ The following list shows the supported values as number of seconds:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
@ -607,8 +607,8 @@ The following list shows the supported values:
- 1 (default) HTTP blended with peering behind the same NAT.
- 2 HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
- 3 HTTP blended with Internet peering.
- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. Note that this value is deprecated and will be removed in a future release.
- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. Note that this value is deprecated and will be removed in a future release.
<!--/SupportedValues-->
<!--/Policy-->
@ -642,13 +642,13 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity.
> [!NOTE]
> You must use a GUID as the group ID.
> You must use a GUID as the group ID.
<!--/Description-->
<!--ADMXMapped-->
@ -799,10 +799,10 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.
The default value is 259200 seconds (3 days).
@ -848,7 +848,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100).
@ -984,7 +984,7 @@ This policy is deprecated because it only applies to uploads to Internet peers (
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.
@ -1033,7 +1033,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions.
Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery.
@ -1081,7 +1081,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions.
Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB.
@ -1133,7 +1133,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions.
Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB.
@ -1182,7 +1182,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions.
Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
@ -1231,7 +1231,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
@ -1280,7 +1280,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.

96
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -28,6 +28,9 @@ manager: dansimp
<dd>
<a href="#devicelock-allowsimpledevicepassword">DeviceLock/AllowSimpleDevicePassword</a>
</dd>
<dd>
<a href="#devicelock-allowscreentimeoutwhilelockeduserconfig">DeviceLock/AllowScreenTimeoutWhileLockedUserConfig</a>
</dd>
<dd>
<a href="#devicelock-alphanumericdevicepasswordrequired">DeviceLock/AlphanumericDevicePasswordRequired</a>
</dd>
@ -146,12 +149,52 @@ The following list shows the supported values:
Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
> This policy must be wrapped in an Atomic command.
For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Blocked
- 1 Allowed
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="devicelock-allowscreentimeoutwhilelockeduserconfig"></a>**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
@ -194,14 +237,14 @@ The following list shows the supported values:
Determines the type of PIN required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
> [!NOTE]
> This policy must be wrapped in an Atomic command.
> This policy must be wrapped in an Atomic command.
>
> Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education).
> [!NOTE]
> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
>
> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
@ -248,7 +291,7 @@ The following list shows the supported values:
Specifies whether device lock is enabled.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
> This policy must be wrapped in an Atomic command.
>
> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
@ -277,12 +320,12 @@ Specifies whether device lock is enabled.
> - MinDevicePasswordComplexCharacters
> [!Important]
> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:
> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:
> - **DevicePasswordEnabled** is the parent policy of the following:
> - AllowSimpleDevicePassword
> - MinDevicePasswordLength
> - AlphanumericDevicePasswordRequired
> - MinDevicePasswordComplexCharacters 
> - MinDevicePasswordComplexCharacters
> - DevicePasswordExpiration
> - DevicePasswordHistory
> - MaxDevicePasswordFailedAttempts
@ -330,7 +373,7 @@ The following list shows the supported values:
Specifies when the password expires (in days).
> [!NOTE]
> This policy must be wrapped in an Atomic command.
> This policy must be wrapped in an Atomic command.
@ -380,7 +423,7 @@ The following list shows the supported values:
Specifies how many passwords can be stored in the history that cant be used.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
> This policy must be wrapped in an Atomic command.
The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords.
@ -430,7 +473,7 @@ The following list shows the supported values:
Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
> [!NOTE]
> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro.
> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro.
Value type is a string, which is the full image filepath and filename.
@ -470,13 +513,10 @@ Value type is a string, which is the full image filepath and filename.
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
> This policy must be wrapped in an Atomic command.
This policy has different behaviors on the mobile device and desktop.
- On a mobile device, when the user reaches the value set by this policy, then the device is wiped.
- On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.
On a client device, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.
Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.
@ -489,7 +529,7 @@ For additional information about this policy, see [Exchange ActiveSync Policy En
<!--SupportedValues-->
The following list shows the supported values:
- An integer X where 4 &lt;= X &lt;= 16 for desktop and 0 &lt;= X &lt;= 999 for mobile devices.
- An integer X where 4 &lt;= X &lt;= 16 for client devices.
- 0 (default) - The device is never wiped after an incorrect PIN or password is entered.
<!--/SupportedValues-->
@ -526,11 +566,10 @@ The following list shows the supported values:
<!--Description-->
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
* On Mobile, the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
* On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy.
On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
> This policy must be wrapped in an Atomic command.
@ -541,7 +580,7 @@ For additional information about this policy, see [Exchange ActiveSync Policy En
The following list shows the supported values:
- An integer X where 0 &lt;= X &lt;= 999.
- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined."
- 0 (default) - No timeout is defined.
<!--/SupportedValues-->
<!--/Policy-->
@ -578,11 +617,11 @@ The following list shows the supported values:
The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
> This policy must be wrapped in an Atomic command.
>
> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
PIN enforces the following behavior for desktop and mobile devices:
PIN enforces the following behavior for client devices:
- 1 - Digits only
- 2 - Digits and lowercase letters are required
@ -593,10 +632,9 @@ The default value is 1. The following list shows the supported values and actual
|Account Type|Supported Values|Actual Enforced Values|
|--- |--- |--- |
|Mobile|1,2,3,4|Same as the value set|
|Desktop Local Accounts|1,2,3|3|
|Desktop Microsoft Accounts|1,2|&lt;p2|
|Desktop Domain Accounts|Not supported|Not supported|
|Local Accounts|1,2,3|3|
|Microsoft Accounts|1,2|&lt;p2|
|Domain Accounts|Not supported|Not supported|
Enforced values for Local and Microsoft Accounts:
@ -652,7 +690,7 @@ For additional information about this policy, see [Exchange ActiveSync Policy En
Specifies the minimum number or characters required in the PIN or password.
> [!NOTE]
> This policy must be wrapped in an Atomic command.
> This policy must be wrapped in an Atomic command.
>
> Always use the Replace command instead of Add for this policy in Windows for desktop editions.
@ -666,9 +704,9 @@ For additional information about this policy, see [Exchange ActiveSync Policy En
<!--SupportedValues-->
The following list shows the supported values:
- An integer X where 4 &lt;= X &lt;= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6.
- An integer X where 4 &lt;= X &lt;= 16 for client devices. However, local accounts will always enforce a minimum password length of 6.
- Not enforced.
- The default value is 4 for mobile devices and desktop devices.
- The default value is 4 for client devices.
<!--/SupportedValues-->
<!--Example-->

83
windows/client-management/mdm/policy-csp-eap.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Policy CSP - EAP
description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - EAP
<hr/>
<!--Policies-->
## EAP policies
<dl>
<dd>
<a href="#eap-allowtls1_3">EAP/AllowTLS1_3</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="eap-allowtls1_3"></a>**EAP/AllowTLS1_3**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting is added in Windows 10, version 21H1. Allow or disallow use of TLS 1.3 during EAP client authentication.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *AllowTLS1_3*
- GP name: *AllowTLS1_3*
- GP path: *Windows Components/EAP*
- GP ADMX file name: *EAP.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 Use of TLS version 1.3 is not allowed for authentication.
- 1 (default) Use of TLS version 1.3 is allowed for authentication.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->

19
windows/client-management/mdm/policy-csp-experience.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - Experience
description: Learn how to use the Policy CSP - Experience setting to allow history of clipboard items to be stored in memory.
description: Learn how to use the Policy CSP - Experience setting to allow history of clipboard items to be stored in memory.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -332,7 +332,7 @@ The following list shows the supported values:
Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g., auto-enrolled), then disabling the MDM unenrollment has no effect.
> [!NOTE]
> The MDM server can always remotely delete the account.
> The MDM server can always remotely delete the account.
Most restricted value is 0.
@ -439,8 +439,6 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
@ -498,7 +496,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
@ -550,8 +548,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
> Prior to Windows 10, version 1803, this policy had User scope.
> Prior to Windows 10, version 1803, this policy had User scope.
This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.
@ -605,7 +602,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
@ -658,8 +655,6 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
@ -763,8 +758,6 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
@ -909,7 +902,7 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.

190
windows/client-management/mdm/policy-csp-humanpresence.md Normal file
View File

@ -0,0 +1,190 @@
---
title: Policy CSP - HumanPresence
description: Use the Policy CSP - HumanPresence setting allows wake on approach and lock on leave that can be managed from MDM.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - HumanPresence
<hr/>
<!--Policies-->
## HumanPresence policies
<dl>
<dd>
<a href="#humanpresence-forceinstantlock">HumanPresence/ForceInstantLock</a>
</dd>
<dd>
<a href="#humanpresence-forceinstantwake">HumanPresence/ForceInstantWake</a>
</dd>
<dd>
<a href="#humanpresence-forcelocktimeout">HumanPresence/ForceLockTimeout</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="humanpresence-forceinstantlock"></a>**HumanPresence/ForceInstantLock**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies whether the device can lock when a human presence sensor detects a human.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM*
- GP name: *ForceInstantLock*
- GP path: *Windows Components/HumanPresence*
- GP ADMX file name: *HumanPresence.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 2 = ForcedOff
- 1 = ForcedOn
- 0 = DefaultToUserChoice
- Defaults to 0.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="humanpresence-forceinstantwake"></a>**HumanPresence/ForceInstantWake**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies whether the device can lock when a human presence sensor detects a human.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM*
- GP name: *ForceInstantWake*
- GP path: *Windows Components/HumanPresence*
- GP ADMX file name: *HumanPresence.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 2 = ForcedOff
- 1 = ForcedOn
- 0 = DefaultToUserChoice
- Defaults to 0.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="humanpresence-forcelocktimeout"></a>**HumanPresence/ForceLockTimeout**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies at what distance the sensor wakes up when it sees a human in seconds.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM*
- GP name: *ForceLockTimeout*
- GP path: *Windows Components/HumanPresence*
- GP ADMX file name: *HumanPresence.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Integer value that specifies whether the device can lock when a human presence sensor detects a human.
The following list shows the supported values:
- 120 = 120 seconds
- 30 = 30 seconds
- 10 = 10 seconds
- 0 = DefaultToUserChoice
- Defaults to 0
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->

53
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/29/2021
ms.date: 12/16/2021
ms.reviewer:
manager: dansimp
---
@ -23,6 +23,9 @@ manager: dansimp
<dd>
<a href="#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
</dd>
@ -222,6 +225,54 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-accounts-enableadministratoraccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This setting allows the administrator to enable the local Administrator account.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP Friendly name: *Accounts: Enable Administrator Account Status*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - disabled (local Administrator account is disabled).
- 1 - enabled (local Administrator account is enabled).
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly"></a>**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**

18
windows/client-management/mdm/policy-csp-networklistmanager.md
View File

@ -1,13 +1,13 @@
---
title: Policy CSP - NetworkListManager
description: The Policy CSP - NetworkListManager setting creates a new MDM policy that allows admins to configure a list of URIs of HTTPS endpoints that are considered secure.
description: Policy CSP - NetworkListManager is a setting creates a new MDM policy. This setting allows admins to configure a list of URIs of HTTPS endpoints that are considered secure.
ms.author: v-nsatapathy
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.localizationpriority: medium
ms.date: 7/10/2021
ms.date: 12/16/2021
ms.reviewer:
manager: dansimp
---
@ -60,7 +60,17 @@ manager: dansimp
<!--Description-->
This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
<hr/>
When entering a list of TLS endpoints in Microsoft Endpoint Manager, you must follow this format, even in the UI:
`<![CDATA[https://nls.corp.contoso.com&#xF000;https://nls.corp.fabricam.com]]>`
- The HTTPS endpoint must not have any more authentication checks, such as login or multi-factor authentication.
- The HTTPS endpoint must be an internal address not accessible from outside the corporate network.
- The client must trust the server certificate. So the CA certificate that the HTTPS server certificate chains to must be present in the client machine's root certificate store.
- A certificate should not be a public certificate.
<hr/>
@ -91,7 +101,7 @@ This policy setting provides the list of URLs (separated by Unicode character 0x
<!--/Scope-->
<!--Description-->
This policy setting provides the string to be used to name the network authenticated against one of the endpoints listed in NetworkListManager/AllowedTlsAuthenticationEndpoints policy.
This policy setting provides the string that is to be used to name a network. That network is authenticated against one of the endpoints that are listed in NetworkListManager/AllowedTlsAuthenticationEndpoints policy. If this setting is used for Trusted Network Detection in an _Always On_ VPN profile, it must be the DNS suffix that is configured in the TrustedNetworkDetection attribute.
<hr/>

75
windows/client-management/mdm/policy-csp-notifications.md
View File

@ -31,6 +31,9 @@ manager: dansimp
<dd>
<a href="#notifications-disallowtilenotification">Notifications/DisallowTileNotification</a>
</dd>
<dd>
<a href="#notifications-wnsendpoint">Notifications/WnsEndpoint</a>
</dd>
</dl>
@ -208,5 +211,77 @@ Validation:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="notifications-wnsendpoint"></a>**Notifications/WnsEndpoint**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting determines which Windows Notification Service endpoint will be used to connect for Windows Push Notifications.
If you disable or do not configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com.
Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also allowlisted from your firewall settings.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Required for Airgap servers that may have a unique FQDN that is different from the public endpoint*
- GP name: *WnsEndpoint*
- GP path: *Start Menu and Taskbar/Notifications*
- GP ADMX file name: *WPN.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
If the policy is not specified, we will default our connection to client.wns.windows.com.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->

71
windows/client-management/mdm/policy-csp-power.md
View File

@ -14,14 +14,16 @@ manager: dansimp
# Policy CSP - Power
<hr/>
<!--Policies-->
## Power policies
<dl>
<dd>
<a href="#power-allowhibernate">Power/AllowHibernate</a>
</dd>
<dd>
<a href="#power-allowstandbystateswhensleepingonbattery">Power/AllowStandbyStatesWhenSleepingOnBattery</a>
</dd>
@ -98,6 +100,71 @@ manager: dansimp
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policy-->
<a href="" id="power-allowhibernate"></a>**Power/AllowHibernate**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>No</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>No</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Decides if hibernate on the machine is allowed or not*
- GP name: *AllowHibernate*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->

264
windows/client-management/mdm/policy-csp-remotedesktop.md Normal file
View File

@ -0,0 +1,264 @@
---
title: Policy CSP - RemoteDesktop
description: Learn how the Policy CSP - RemoteDesktop setting allows you to specify a custom message to display.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
# Policy CSP - RemoteDesktop
<hr/>
<!--Policies-->
## RemoteDesktop policies
<dl>
<dd>
<a href="#remotedesktop-autosubscription">RemoteDesktop/AutoSubscription</a>
</dd>
<dd>
<a href="#remotedesktop-loadaadcredkeyfromprofile">RemoteDesktop/LoadAadCredKeyFromProfile</a>
</dd>
</dl>
> [!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policy-->
<a href="" id="remotedesktop-autosubscription"></a>**RemoteDesktop/AutoSubscription<**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Customize warning messages*
- GP name: *AutoSubscription*
- GP path: *System/Remote Desktop*
- GP ADMX file name: *remotedesktop.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="remotedesktop-loadaadcredkeyfromprofile"></a>**RemoteDesktop/LoadAadCredKeyFromProfile**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.
If you enable this policy setting, log files are generated.
If you disable this policy setting, log files are not generated.
If you do not configure this setting, application-based settings are used.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn on session logging*
- GP name: *RA_Logging*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="remoteassistance-solicitedremoteassistance"></a>**RemoteAssistance/SolicitedRemoteAssistance**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.
If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.
If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.
If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.
If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."
The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.
The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.
If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Solicited Remote Assistance*
- GP name: *RA_Solicit*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="remoteassistance-unsolicitedremoteassistance"></a>**RemoteAssistance/UnsolicitedRemoteAssistance**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.
If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.
If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.
To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:
`<Domain Name>\<User Name>` or
`<Domain Name>\<Group Name>`
If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running.
Windows Vista and later
Enable the Remote Assistance exception for the domain profile. The exception must contain:
Port 135:TCP
%WINDIR%\System32\msra.exe
%WINDIR%\System32\raserver.exe
Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)
Port 135:TCP
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
%WINDIR%\System32\Sessmgr.exe
For computers running Windows Server 2003 with Service Pack 1 (SP1)
Port 135:TCP
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe
%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe
Allow Remote Desktop Exception
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Offer Remote Assistance*
- GP name: *RA_Unsolicit*
- GP path: *System/Remote Assistance*
- GP ADMX file name: *remoteassistance.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->

28
windows/client-management/mdm/policy-csp-search.md
View File

@ -24,6 +24,9 @@ manager: dansimp
<dd>
<a href="#search-allowcloudsearch">Search/AllowCloudSearch</a>
</dd>
<dd>
<a href="#search-allowcortanainaad">Search/AllowCortanaInAAD</a>
</dd>
<dd>
<a href="#search-allowfindmyfiles">Search/AllowFindMyFiles</a>
</dd>
@ -115,6 +118,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="search-allowcortanainaad"></a>**Search/AllowCortanaInAAD**
<!--SupportedSKUs-->
@ -137,6 +141,30 @@ The following list shows the supported values:
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows the cortana opt-in page during windows setup out of the box experience.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Allow Cloud Search*
- GP name: *AllowCortanaInAAD*
- GP element: *AllowCloudSearch_Dropdown*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
This is a simple boolean value, default false, that can be set by MDM policy to allow the Cortana Page in OOBE when logged in with an AAD account.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="search-allowfindmyfiles"></a>**Search/AllowFindMyFiles**

14
windows/client-management/mdm/policy-csp-security.md
View File

@ -102,8 +102,7 @@ The following list shows the supported values:
<!--Description-->
> [!NOTE]
>
> - This policy is deprecated in Windows 10, version 1607.<br/>
> - This policy is only enforced in Windows 10 for desktop.
> - This policy is deprecated in Windows 10, version 1607.
Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined.
@ -185,8 +184,6 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
@ -280,11 +277,8 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined.
@ -492,8 +486,8 @@ Setting this policy to 1 (Required):
- Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification.
> [!NOTE]
> We recommend that this policy is set to Required after MDM enrollment.
 
> We recommend that this policy is set to Required after MDM enrollment.
Most restricted value is 1.

123
windows/client-management/mdm/policy-csp-settings.md
View File

@ -29,6 +29,9 @@ manager: dansimp
<dd>
<a href="#settings-allowdatetime">Settings/AllowDateTime</a>
</dd>
<dd>
<a href="#settings-alloweditdevicename">Settings/AllowEditDeviceName</a>
</dd>
<dd>
<a href="#settings-allowlanguage">Settings/AllowLanguage</a>
</dd>
@ -90,14 +93,11 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Allows the user to change Auto Play settings.
> [!NOTE]
> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected.
> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected.
<!--/Description-->
<!--SupportedValues-->
@ -140,7 +140,7 @@ The following list shows the supported values:
Allows the user to change Data Sense settings.
> [!NOTE]
> The **AllowDataSense** policy is not supported on Windows 10, version 2004 and later.
> The **AllowDataSense** policy is not supported on Windows 10, version 2004 and later.
<!--/Description-->
<!--SupportedValues-->
@ -194,6 +194,68 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="settings-alloweditdevicename"></a>**Settings/AllowEditDeviceName**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy disables edit device name option on Settings.
<!--/Description-->
<!--SupportedValues-->
Describes what value are supported in by this policy and meaning of each value, default value.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="settings-allowlanguage"></a>**Settings/AllowLanguage**
@ -220,9 +282,6 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Allows the user to change the language settings.
@ -266,7 +325,7 @@ The following list shows the supported values:
<!--Description-->
Enables or disables the retrieval of online tips and help for the Settings app.
If disabled, Settings will not contact Microsoft content services to retrieve tips and help content.
If disabled, Settings won't contact Microsoft content services to retrieve tips and help content.
<!--/Description-->
<!--ADMXMapped-->
@ -308,9 +367,6 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Allows the user to change power and sleep settings.
@ -352,9 +408,6 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Allows the user to change the region settings.
@ -396,11 +449,8 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Allows the user to change sign-in options.
Allows the user to change sign in options.
<!--/Description-->
<!--SupportedValues-->
@ -480,9 +530,6 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Allows user to change workplace settings.
@ -564,7 +611,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
Allows IT Admins to configure the default setting for showing more calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. Other supported calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
<!--/Description-->
<!--ADMXMapped-->
@ -615,31 +662,41 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For additional information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
Allows IT Admins to either:
The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
- Prevent specific pages in the System Settings app from being visible or accessible
showonly:about;bluetooth
OR
If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (that is, treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list.
- To do so for all pages except the pages you enter
The mode will be specified by the policy string beginning with either the string `showonly:` or `hide:`. Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix.
For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For more information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
The following example shows a policy that allows access only to the **about** and **bluetooth** pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
`showonly:about;bluetooth`
If the policy isn't specified, then the behavior is that no pages are affected. If the policy string is formatted incorrectly, then it's ignored (that is, treated as not set). It's ignored to prevent the machine from becoming unserviceable if data corruption occurs. If a page is already hidden for another reason, then it stays hidden, even if the page is in a `showonly:` list.
The format of the PageVisibilityList value is as follows:
- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
- There are two variants: one that shows only the given pages and one that hides the given pages.
- The first variant starts with the string "showonly:" and the second with the string "hide:".
- The first variant starts with the string `showonly:` and the second with the string "hide:".
- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi".
- Each page identifier is the `ms-settings:xyz` URI for the page, minus the `ms-settings:` prefix. So the identifier for the page with the `ms-settings:network-wifi` URI would be `network-wifi`.
The default value for this setting is an empty string, which is interpreted as show everything.
Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:network-wifi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden:
**Example 1**: Only the wifi and bluetooth pages should be shown. They have URIs `ms-settings:network-wifi` and `ms-settings:bluetooth`. All other pages (and the categories they're in) will be hidden:
showonly:network-wifi;bluetooth
`showonly:network-wifi;bluetooth`
Example 2, specifies that the wifi page should not be shown:
**Example 2**: The wifi page shouldn't be shown:
hide:network-wifi
`hide:network-wifi`
<!--/Description-->
<!--ADMXMapped-->

21
windows/client-management/mdm/policy-csp-start.md
View File

@ -608,9 +608,6 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Forces the start screen size.
@ -658,7 +655,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy requires reboot to take effect.
> This policy requires reboot to take effect.
Allows IT Admins to configure Start by collapsing or removing the all apps list.
@ -762,7 +759,7 @@ To validate on Desktop, do the following:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy requires reboot to take effect.
> This policy requires reboot to take effect.
Allows IT Admins to configure Start by hiding most used apps.
@ -819,7 +816,7 @@ Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the
> [!NOTE]
> This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's.
> This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's.
<!--/Description-->
<!--SupportedValues-->
@ -964,7 +961,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy requires reboot to take effect.
> This policy requires reboot to take effect.
Allows IT Admins to configure Start by hiding the Power button from appearing.
@ -1014,7 +1011,7 @@ To validate on Desktop, do the following:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy requires reboot to take effect.
> This policy requires reboot to take effect.
Allows IT Admins to configure Start by hiding recently opened items in the jump lists from appearing.
@ -1072,7 +1069,7 @@ To validate on Desktop, do the following:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy requires reboot to take effect.
> This policy requires reboot to take effect.
Allows IT Admins to configure Start by hiding recently added apps.
@ -1369,7 +1366,7 @@ To validate on Desktop, do the following:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy requires reboot to take effect.
> This policy requires reboot to take effect.
Allows IT Admins to configure Start by hiding the user tile.
@ -1420,7 +1417,7 @@ To validate on Desktop, do the following:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy requires reboot to take effect.
> This policy requires reboot to take effect.
Here is additional SKU support information:
@ -1433,7 +1430,7 @@ Here is additional SKU support information:
This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files.
> [!IMPORTANT]
> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy.
> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy.
The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](/windows/configuration/start-secondary-tiles).

259
windows/client-management/mdm/policy-csp-storage.md
View File

@ -48,6 +48,18 @@ manager: dansimp
<dd>
<a href="#storage-removablediskdenywriteaccess">Storage/RemovableDiskDenyWriteAccess</a>
</dd>
<dd>
<a href="#storage-wpddevicesdenyreadaccessperdevice">Storage/WPDDevicesDenyReadAccessPerDevice</a>
</dd>
<dd>
<a href="#storage-wpddevicesdenyreadaccessperuser">Storage/WPDDevicesDenyReadAccessPerUser</a>
</dd>
<dd>
<a href="#storage-wpddevicesdenywriteaccessperdevice">Storage/WPDDevicesDenyWriteAccessPerDevice</a>
</dd>
<dd>
<a href="#storage-wpddevicesdenywriteaccessperuser">Storage/WPDDevicesDenyWriteAccessPerUser</a>
</dd>
</dl>
@ -566,5 +578,252 @@ See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settin
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-wpddevicesdenyreadaccessperdevice"></a>**Storage/WPDDevicesDenyReadAccessPerDevice**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
- Mass Storage Class (MSC) over USB
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android.
>[!NOTE]
> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
Supported values for this policy are:
- Not configured
- Enabled
- Disabled
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *WPD Devices: Deny read access*
- GP name: *WPDDevices_DenyRead_Access_2*
- GP path: *System/Removable Storage Access*
- GP ADMX file name: *RemovableStorage.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-wpddevicesdenyreadaccessperuser"></a>**Storage/WPDDevicesDenyReadAccessPerUser**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
- Mass Storage Class (MSC) over USB
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this policy will block end-user from Read access on any Windows Portal devices, e.g. mobile/iOS/Android.
>[!NOTE]
> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
Supported values for this policy are:
- Not configured
- Enabled
- Disabled
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *WPD Devices: Deny read access*
- GP name: *WPDDevices_DenyRead_Access_1*
- GP path: *System/Removable Storage Access*
- GP ADMX file name: *RemovableStorage.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-wpddevicesdenywriteaccessperdevice"></a>**Storage/WPDDevicesDenyWriteAccessPerDevice**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
- Mass Storage Class (MSC) over USB
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android.
>[!NOTE]
> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
Supported values for this policy are:
- Not configured
- Enabled
- Disabled
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *WPD Devices: Deny write access*
- GP name: *WPDDevices_DenyWrite_Access_2*
- GP path: *System/Removable Storage Access*
- GP ADMX file name: *RemovableStorage.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="storage-wpddevicesdenywriteaccessperuser"></a>**Storage/WPDDevicesDenyWriteAccessPerUser**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy will do the enforcement over the following protocols which are used by most portable devices, e.g. mobile/IOS/Android:
- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth
- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth
- Mass Storage Class (MSC) over USB
To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46).
If enabled, this will block end-user from Write access on any Windows Portal devices, e.g. mobile/iOS/Android.
>[!NOTE]
> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer.
Supported values for this policy are:
- Not configured
- Enabled
- Disabled
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *WPD Devices: Deny write access*
- GP name: *WPDDevices_DenyWrite_Access_1*
- GP path: *System/Removable Storage Access*
- GP ADMX file name: *RemovableStorage.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--/Policies-->

105
windows/client-management/mdm/policy-csp-system.md
View File

@ -94,6 +94,12 @@ manager: dansimp
<dd>
<a href="#system-feedbackhubalwayssavediagnosticslocally">System/FeedbackHubAlwaysSaveDiagnosticsLocally</a>
</dd>
<dd>
<a href="#system-limitdiagnosticlogcollection">System/LimitDiagnosticLogCollection</a>
</dd>
<dd>
<a href="#system-limitdumpcollection">System/LimitDumpCollection</a>
</dd>
<dd>
<a href="#system-limitenhanceddiagnosticdatawindowsanalytics">System/LimitEnhancedDiagnosticDataWindowsAnalytics</a>
</dd>
@ -1295,6 +1301,105 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="system-limitdiagnosticlogcollection"></a>**System/LimitDiagnosticLogCollection**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting specifies whether diagnostic log data can be collected when more information is needed to troubleshoot a problem. It is sent only if we have permission to collect optional diagnostic data, and only if the device meets the criteria for additional data collection.
If you disable or do not configure this policy setting, we may occasionally collect advanced diagnostic data if the user has opted to send optional diagnostic data.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Limit Diagnostic Log Collection*
- GP name: *LimitDiagnosticLogCollection*
- GP path: *Data Collection and Preview Builds*
- GP ADMX file name: *DataCollection.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 Disabled
- 1 Enabled
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="system-limitdumpcollection"></a>**System/LimitDumpCollection**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. These dumps are not sent unless we have permission to collect optional diagnostic data.
By enabling this policy setting, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps only.
If you disable or do not configure this policy setting, we may occasionally collect full or heap dumps if the user has opted to send optional diagnostic data.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Limit Dump Collection*
- GP name: *LimitDumpCollection*
- GP path: *Data Collection and Preview Builds*
- GP ADMX file name: *DataCollection.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 Disabled
- 1 Enabled
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="system-limitenhanceddiagnosticdatawindowsanalytics"></a>**System/LimitEnhancedDiagnosticDataWindowsAnalytics**

48
windows/client-management/mdm/policy-csp-textinput.md
View File

@ -58,6 +58,9 @@ manager: dansimp
<dd>
<a href="#textinput-allowlinguisticdatacollection">TextInput/AllowLinguisticDataCollection</a>
</dd>
<dd>
<a href="#textinput-allowtextinputsuggestionupdate">TextInput/AllowTextInputSuggestionUpdate</a>
</dd>
<dd>
<a href="#textinput-configurejapaneseimeversion">TextInput/ConfigureJapaneseIMEVersion</a>
</dd>
@ -616,6 +619,51 @@ This setting supports a range of values between 0 and 1.
<hr/>
<!--Policy-->
<a href="" id="textinput-allowtextinputsuggestionupdate"></a>**TextInput/AllowTextInputSuggestionUpdate**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Allows the user to turn on or off the automatic downloading of newer versions of the Expressive Input UI.
When downloading is not allowed the Expressive Input panel will always display the initial UI included with the base Windows image.
Most restricted value is 0.
Default: Enabled
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 1 (Enabled) - The newer UX is downloaded from Microsoft service.
- 0 (Disabled) - The UX remains unchanged with what the operating system installs.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="textinput-configurejapaneseimeversion"></a>**TextInput/ConfigureJapaneseIMEVersion**

161
windows/client-management/mdm/policy-csp-timelanguagesettings.md
View File

@ -22,12 +22,75 @@ manager: dansimp
## TimeLanguageSettings policies
<dl>
<dd>
<a href="#timelanguagesettings-blockcleanupofunusedpreinstalledlangpacks">TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks</a>
</dd>
<dd>
<a href="#timelanguagesettings-configuretimezone">TimeLanguageSettings/ConfigureTimeZone</a>
</dd>
<dd>
<a href="#timelanguagesettings-machineuilanguageoverwrite">TimeLanguageSettings/MachineUILanguageOverwrite</a>
</dd>
<dd>
<a href="#timelanguagesettings-restrictlanguagepacksandfeaturesinstall">TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="timelanguagesettings-blockcleanupofunusedpreinstalledlangpacks"></a>**TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether the maintenance task will run to clean up language packs installed on a machine but are not used by any users on that machine.
If you enable this policy setting (value 1), language packs that are installed as part of the system image will remain installed even if they are not used by any user on that system.
If you disable (value 0) or do not configure this policy setting, language packs that are installed as part of the system image but are not used by any user on that system will be removed as part of a scheduled clean up task.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Block cleanup of unused language packs*
- GP name: *BlockCleanupOfUnusedPreinstalledLangPacks*
- GP path: *Computer Configuration/Administrative Templates/Control Panel/Regional and Language Options*
- GP ADMX file name: *Globalization.admx*
<!--/ADMXMapped-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
@ -74,5 +137,103 @@ Specifies the time zone to be applied to the device. This is the standard Window
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="timelanguagesettings-machineuilanguageoverwrite"></a>**TimeLanguageSettings/MachineUILanguageOverwrite**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls which UI language is used for computers with more than one UI language installed.
If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the local administrator.
If you disable or do not configure this policy setting, there is no restriction of a specific language used for the Windows menus and dialogs.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Force selected system UI language to overwrite the user UI language*
- GP name: *MachineUILanguageOverwrite*
- GP path: *Computer Configuration/Administrative Templates/Control Panel/Regional and Language Options*
- GP ADMX file name: *Globalization.admx*
<!--/ADMXMapped-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="timelanguagesettings-restrictlanguagepacksandfeaturesinstall"></a>**TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting restricts standard users from installing language features on demand. This policy does not restrict the Windows language, if you want to restrict the Windows language use the following policy: “Restricts the UI languages Windows should use for the selected user.”
If you enable this policy setting, the installation of language features is prevented for standard users.
If you disable or do not configure this policy setting, there is no language feature installation restriction for the standard users.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<!--/Policies-->

546
windows/client-management/mdm/policy-csp-update.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 11/29/2021
ms.date: 01/11/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
@ -73,6 +73,9 @@ ms.collection: highpri
<dd>
<a href="#update-configuredeadlinegraceperiod">Update/ConfigureDeadlineGracePeriod</a>
</dd>
<dd>
<a href="#update-configuredeadlinegraceperiodforfeatureupdates">Update/ConfigureDeadlineGracePeriodForFeatureUpdates</a>
</dd>
<dd>
<a href="#update-configuredeadlinenoautoreboot">Update/ConfigureDeadlineNoAutoReboot</a>
</dd>
@ -100,6 +103,9 @@ ms.collection: highpri
<dd>
<a href="#update-disablewufbsafeguards">Update/DisableWUfBSafeguards</a>
</dd>
<dd>
<a href="#update-donotenforceenterprisetlscertpinningforupdatedetection">Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection</a>
</dd>
<dd>
<a href="#update-engagedrestartdeadline">Update/EngagedRestartDeadline</a>
</dd>
@ -196,6 +202,18 @@ ms.collection: highpri
<dd>
<a href="#update-setedurestart">Update/SetEDURestart</a>
</dd>
<dd>
<a href="#update-setpolicydrivenupdatesourcefordriver">Update/SetPolicyDrivenUpdateSourceForDriver</a>
</dd>
<dd>
<a href="#update-setpolicydrivenupdatesourceforfeature">Update/SetPolicyDrivenUpdateSourceForFeature</a>
</dd>
<dd>
<a href="#update-setpolicydrivenupdatesourceforother">Update/SetPolicyDrivenUpdateSourceForOther</a>
</dd>
<dd>
<a href="#update-setpolicydrivenupdatesourceforquality">Update/SetPolicyDrivenUpdateSourceForQuality</a>
</dd>
<dd>
<a href="#update-setproxybehaviorforupdatedetection">Update/SetProxyBehaviorForUpdateDetection</a>
</dd>
@ -245,7 +263,7 @@ ms.collection: highpri
<!--/Scope-->
<!--Description-->
Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12-hour maximum from start time.
> [!NOTE]
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
@ -340,7 +358,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12-hour maximum from end time.
> [!NOTE]
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
@ -408,9 +426,9 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
- 2 (default) Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart.
- 0 Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart.
- 2 (default) Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. Automatic restarting when a device is not being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shut down properly on restart.
- 3 Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
- 4 Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only.
- 5 Turn off automatic updates.
@ -518,9 +536,17 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 Not allowed or not configured.
- 0 Not configured.
- 1 Allowed. Accepts updates received through Microsoft Update.
> [!NOTE]
> Setting this policy back to **0** or **Not configured** does not revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service:.
```
$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager"
$MUSM.RemoveService("7971f918-a847-4430-9279-4a52d1efe18d")
```
<!--/SupportedValues-->
<!--/Policy-->
@ -552,11 +578,11 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution.
Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution.
Supported operations are Get and Replace.
This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
This policy is specific to desktop and local publishing via WSUS for third-party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
<!--/Description-->
<!--SupportedValues-->
@ -655,18 +681,18 @@ For Quality Updates, this policy specifies the deadline in days before automatic
The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
Value type is integer. Default is 7 days.
Value type is integer. Default is seven days.
Supported values range: 2-30.
Note that the PC must restart for certain updates to take effect.
The PC must restart for certain updates to take effect.
If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled.
If you disable or do not configure this policy, the PC will restart according to the default schedule.
If any of the following two policies are enabled, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations.
1. No autorestart with logged on users for scheduled automatic updates installations.
2. Always automatically restart at scheduled time.
<!--/Description-->
@ -724,7 +750,7 @@ If you enable this policy, a restart will automatically occur the specified numb
If you disable or do not configure this policy, the PC will restart according to the default schedule.
If any of the following two policies are enabled, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations.
1. No autorestart with logged on users for scheduled automatic updates installations.
2. Always automatically restart at scheduled time.
<!--/Description-->
@ -767,7 +793,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Allows the IT Admin to specify the period for auto-restart reminder notifications.
Allows the IT Admin to specify the period for autorestart reminder notifications.
The default value is 15 (minutes).
@ -815,7 +841,7 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
<!--/Scope-->
<!--Description-->
Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed.
Allows the IT Admin to specify the method by which the autorestart required notification is dismissed.
<!--/Description-->
<!--ADMXMapped-->
@ -869,7 +895,7 @@ This policy setting allows you to configure if Automatic Maintenance should make
> [!Note]
> If the OS power wake policy is explicitly disabled, then this setting has no effect.
If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if required.
If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if necessary.
If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies.
<!--/Description-->
@ -974,8 +1000,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
Allows admins to specify the number of days before feature updates are installed on the device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After the deadline passes, restarts will occur regardless of active hours and users will not be able to reschedule.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -987,7 +1012,7 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required feature update.
Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. When set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity.
Default value is 7.
<!--/SupportedValues-->
@ -1027,8 +1052,7 @@ Default value is 7.
<!--/Scope-->
<!--Description-->
Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
Allows admins to specify the number of days before quality updates are installed on a device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After deadline passes, restarts will occur regardless of active hours and users will not be able to reschedule.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -1040,7 +1064,7 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update.
Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. When set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity.
Default value is 7.
<!--/SupportedValues-->
@ -1080,8 +1104,7 @@ Default value is 7.
<!--/Scope-->
<!--Description-->
Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy is not, then the default value of 2 will be used.
<!--/Description-->
<!--ADMXMapped-->
@ -1094,7 +1117,61 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supports a numeric value from 0 - 7, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached.
Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required quality update.
Default value is 2.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-configuredeadlinegraceperiodforfeatureupdates"></a>**Update/ConfigureDeadlineGracePeriodForFeatureUpdates**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates), allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) is configured but this policy is not, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Specify deadlines for automatic updates and restarts*
- GP name: *ConfigureDeadlineGracePeriodForFeatureUpdates*
- GP element: *ConfigureDeadlineGracePeriodForFeatureUpdates*
- GP path: *Administrative Templates\Windows Components\WindowsUpdate*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required feature update.
Default value is 2.
<!--/SupportedValues-->
@ -1134,10 +1211,11 @@ Default value is 2.
<!--/Scope-->
<!--Description-->
When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates), devices will delay automatically restarting until both the deadline and grace period have expired, even if applicable updates are already installed and pending a restart.
If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
When disabled, if the device has installed updates and is outside of active hours, it might attempt an automatic restart before the deadline.
When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline.
<!---same ADMX info and rest of description>
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
@ -1222,7 +1300,6 @@ Enable IT admin to configure feature update uninstall period. Values range 2 - 6
<!--/Scope-->
<!--Description-->
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
Defers Feature Updates for the specified number of days.
@ -1319,7 +1396,7 @@ ADMX Info:
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
Allows IT Admins to specify update delays for up to 4 weeks.
Allows IT Admins to specify update delays for up to four weeks.
Supported values are 0-4, which refers to the number of weeks to defer updates.
@ -1328,14 +1405,14 @@ If the "Specify intranet Microsoft update service location" policy is enabled, t
If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
OS upgrade:
- Maximum deferral: 8 months
- Deferral increment: 1 month
- Maximum deferral: Eight months
- Deferral increment: One month
- Update type/notes:
- Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
Update:
- Maximum deferral: 1 month
- Deferral increment: 1 week
- Maximum deferral: One month
- Deferral increment: One week
- Update type/notes: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic:
- Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
@ -1394,12 +1471,10 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
>
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
Allows IT Admins to specify additional upgrade delays for up to 8 months.
Allows IT Admins to specify other upgrade delays for up to eight months.
Supported values are 0-8, which refers to the number of months to defer upgrades.
@ -1445,7 +1520,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should only be enabled when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update.
Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should be enabled only when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update.
<!--/Description-->
<!--ADMXMapped-->
@ -1491,7 +1566,7 @@ Do not allow update deferral policies to cause scans against Windows Update. If
For more information about dual scan, see [Demystifying "Dual Scan"](/archive/blogs/wsus/demystifying-dual-scan) and [Improving Dual Scan on 1607](/archive/blogs/wsus/improving-dual-scan-on-1607).
This is the same as the Group Policy in Windows Components > Windows Update "Do not allow update deferral policies to cause scans against Windows Update."
This setting is the same as the Group Policy in **Windows Components** > **Windows Update**: "Do not allow update deferral policies to cause scans against Windows Update."
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@ -1576,6 +1651,56 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="update-donotenforceenterprisetlscertpinningforupdatedetection"></a>**Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
To ensure the highest levels of security, we recommended using WSUS TLS certificate pinning on all devices.
By default, certificate pinning for Windows Update client is not enforced.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Allow user proxy to be used as a fallback if detection using system proxy fails*
- GP name: *Allow user proxy to be used as a fallback if detection using system proxy fails*
- GP path: *Windows Update\SpecifyintranetMicrosoftupdateserviceLocation*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) -Do not enforce certificate pinning
- 1 - Do not enforce certificate pinning
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**
@ -1602,7 +1727,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.
For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Autorestart to Engaged restart (pending user schedule) to be executed automatically, within the specified period.
The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks.
@ -1613,14 +1738,14 @@ Value type is integer. Default is 14.
Supported value range: 2 - 30.
If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling).
If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (for example, pending user scheduling).
If you disable or do not configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations
1. No autorestart with logged on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time
3. Specify deadline before auto-restart for update installation
3. Specify deadline before autorestart for update installation
<!--/Description-->
<!--ADMXMapped-->
@ -1662,20 +1787,20 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.
For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be executed automatically, within the specified period.
Value type is integer. Default is 14.
Supported value range: 2 - 30.
Supported value range: 2-30.
If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling).
If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (for example, pending user scheduling).
If you disable or do not configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations
1. No autorestart with logged on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time
3. Specify deadline before auto-restart for update installation
3. Specify deadline before autorestart for update installation
<!--/Description-->
<!--ADMXMapped-->
@ -1717,18 +1842,18 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.
For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1-3 days.
Value type is integer. Default is 3 days.
Value type is integer. Default is three days.
Supported value range: 1 - 3.
Supported value range: 1-3.
If you disable or do not configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations
1. No autorestart with logged on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time
3. Specify deadline before auto-restart for update installation
3. Specify deadline before autorestart for update installation
<!--/Description-->
<!--ADMXMapped-->
@ -1770,18 +1895,18 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.
For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1-3 days.
Value type is integer. Default is 3 days.
Value type is integer. Default is three days.
Supported value range: 1 - 3.
Supported value range: 1-3.
If you disable or do not configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations
1. No autorestart with logged on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time
3. Specify deadline before auto-restart for update installation
3. Specify deadline before autorestart for update installation
<!--/Description-->
<!--ADMXMapped-->
@ -1832,9 +1957,9 @@ Supported value range: 2 - 30.
If you disable or do not configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations
1. No autorestart with logged on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time
3. Specify deadline before auto-restart for update installation
3. Specify deadline before autorestart for update installation
<!--/Description-->
<!--ADMXMapped-->
@ -1878,16 +2003,16 @@ ADMX Info:
<!--Description-->
For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
Value type is integer. Default value is 7 days.
Value type is integer. Default value is seven days.
Supported value range: 2 - 30.
Supported value range: 2-30.
If you disable or do not configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations
1. No autorestart with logged on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time
3. Specify deadline before auto-restart for update installation
3. Specify deadline before autorestart for update installation
<!--/Description-->
<!--ADMXMapped-->
@ -1929,8 +2054,6 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
Allows IT Admins to exclude Windows Update (WU) drivers during updates.
@ -2049,7 +2172,7 @@ The following list shows the supported values:
To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell:
```TShell
exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I'
```
@ -2102,7 +2225,7 @@ The following list shows the supported values:
To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell:
```TShell
exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I'
```
@ -2192,7 +2315,7 @@ The following list shows the supported values:
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks.
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
@ -2244,8 +2367,6 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you are running Windows 10, version 1703 or later.
@ -2422,38 +2543,14 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd
<a href="" id="update-productversion"></a>**Update/ProductVersion**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -2578,10 +2675,10 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is *only* recommended for managing mobile devices. If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end user. EULAs are approved once an update is approved.
Supported operations are Get and Replace.
@ -2623,7 +2720,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
Allows the IT Admin to specify the period for autorestart imminent warning notifications.
The default value is 15 (minutes).
@ -2675,7 +2772,7 @@ Supported values are 15, 30, or 60 (minutes).
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Allows the IT Admin to specify the period for auto-restart warning reminder notifications.
Allows the IT Admin to specify the period for autorestart warning reminder notifications.
The default value is 4 (hours).
@ -2725,7 +2822,7 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
<!--Description-->
Enables the IT admin to schedule the day of the update installation.
The data type is a integer.
The data type is an integer.
Supported operations are Add, Delete, Get, and Replace.
@ -2782,7 +2879,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Enables the IT admin to schedule the update installation on the every week. Value type is integer. Supported values:
Enables the IT admin to schedule the update installation on every week. Value type is integer. Supported values:
<ul>
<li>0 - no update in the schedule</li>
<li>1 - update is scheduled every week</li>
@ -3018,7 +3115,7 @@ ADMX Info:
Enables the IT admin to schedule the time of the update installation.
The data type is a integer.
The data type is an integer.
Supported operations are Add, Delete, Get, and Replace.
@ -3066,7 +3163,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Allows the IT Admin to disable auto-restart notifications for update installations.
Allows the IT Admin to disable autorestart notifications for update installations.
<!--/Description-->
<!--ADMXMapped-->
@ -3221,6 +3318,229 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="update-setpolicydrivenupdatesourcefordriver"></a>**Update/SetPolicyDrivenUpdateSourceForDriver**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
- SetPolicyDrivenUpdateSourceForFeature
- SetPolicyDrivenUpdateSourceForQuality
- SetPolicyDrivenUpdateSourceForOther
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Specify source service for specific classes of Windows Updates*
- GP name: *SetPolicyDrivenUpdateSourceForDriver*
- GP path: *Windows Components/Windows Update*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0: (Default) Detect, download, and deploy Driver from Windows Update
- 1: Enabled, Detect, download, and deploy Driver from Windows Server Update Server (WSUS)
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-setpolicydrivenupdatesourceforfeature"></a>**Update/SetPolicyDrivenUpdateSourceForFeature**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
- SetPolicyDrivenUpdateSourceForQuality
- SetPolicyDrivenUpdateSourceForDriver
- SetPolicyDrivenUpdateSourceForOther
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Specify source service for specific classes of Windows Updates*
- GP name: *SetPolicyDrivenUpdateSourceForFeature*
- GP path: *Windows Components/Windows Update*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0: (Default) Detect, download, and deploy Feature from Windows Update
- 1: Enabled, Detect, download, and deploy Feature from Windows Server Update Server (WSUS)
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-setpolicydrivenupdatesourceforother"></a>**Update/SetPolicyDrivenUpdateSourceForOther**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
- SetPolicyDrivenUpdateSourceForFeature
- SetPolicyDrivenUpdateSourceForQuality
- SetPolicyDrivenUpdateSourceForDriver
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Specify source service for specific classes of Windows Updates*
- GP name: *SetPolicyDrivenUpdateSourceForOther*
- GP path: *Windows Components/Windows Update*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0: (Default) Detect, download, and deploy Other from Windows Update
- 1: Enabled, Detect, download, and deploy Other from Windows Server Update Server (WSUS)
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-setpolicydrivenupdatesourceforquality"></a>**Update/SetPolicyDrivenUpdateSourceForQuality**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
- SetPolicyDrivenUpdateSourceForFeature
- SetPolicyDrivenUpdateSourceForDriver
- SetPolicyDrivenUpdateSourceForOther
>[!NOTE]
>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Specify source service for specific classes of Windows Updates*
- GP name: *SetPolicyDrivenUpdateSourceForQuality*
- GP path: *Windows Components/Windows Update*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0: (Default) Detect, download, and deploy Quality from Windows Update
- 1: Enabled, Detect, download, and deploy Quality from Windows Server Update Server (WSUS)
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-setproxybehaviorforupdatedetection"></a>**Update/SetProxyBehaviorForUpdateDetection**
@ -3248,9 +3568,9 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Available in Windows 10, version 1607 and later. By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP based intranet server despite the vulnerabilities it presents.
Available in Windows 10, version 1607 and later. By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP-based intranet server despite the vulnerabilities it presents.
This policy setting does not impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security.
This policy setting does not impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS-based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security.
<!--/Description-->
<!--ADMXMapped-->
@ -3413,7 +3733,7 @@ ADMX Info:
> [!IMPORTANT]
> Starting in Windows 10, version 1703 this policy is not supported in IoT Mobile.
Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
Allows the device to check for updates from a WSUS server instead of Microsoft Update. This setting is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
Supported operations are Get and Replace.

133
windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md Normal file
View File

@ -0,0 +1,133 @@
---
title: Policy CSP - VirtualizationBasedTechnology
description: Learn to use the Policy CSP - VirtualizationBasedTechnology setting to control the state of Hypervisor-protected Code Integrity (HVCI) on devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: alekyaj
ms.localizationpriority: medium
ms.date: 11/25/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - VirtualizationBasedTechnology
<hr/>
<!--Policies-->
## VirtualizationBasedTechnology policies
<dl>
<dd>
<a href="#virtualizationbasedtechnology-hypervisorenforcedcodeintegrity">VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity</a>
</dd>
<dd>
<a href="#virtualizationbasedtechnology-requireuefimemoryattributestable">VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="virtualizationbasedtechnology-hypervisorenforcedcodeintegrity"></a>**VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Allows the IT admin to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs).
>[!NOTE]
>After the policy is pushed, a system reboot will be required to change the state of HVCI.
<!--/Description-->
<!--SupportedValues-->
The following are the supported values:
- 0: (Disabled) Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock
- 1: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock
- 2: (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="virtualizationbasedtechnology-requireuefimemoryattributestable"></a>**VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Allows the IT admin to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs).
>[!NOTE]
>After the policy is pushed, a system reboot will be required to change the state of HVCI.
<!--/Description-->
<!--SupportedValues-->
The following are the supported values:
- 0: (Disabled) Do not require UEFI Memory Attributes Table
- 1: (Enabled) Require UEFI Memory Attributes Table
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--/Policies-->

74
windows/client-management/mdm/policy-csp-windowsautopilot.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Policy CSP - WindowsAutoPilot
description: Learn to use the Policy CSP - WindowsAutoPilot setting to enable or disable Autopilot Agility feature.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: alekyaj
ms.localizationpriority: medium
ms.date: 11/25/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - WindowsAutoPilot
<hr/>
<!--Policies-->
## WindowsAutoPilot policies
<dl>
<dd>
<a href="#windowsautopilot-enableagilitypostenrollment">WindowsAutoPilot/EnableAgilityPostEnrollment</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="windowsautopilot-enableagilitypostenrollment"></a>**WindowsAutoPilot/EnableAgilityPostEnrollment**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy enables Windows Autopilot to be kept up-to-date during the out-of-box experience after MDM enrollment.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--/Policies-->

50
windows/client-management/mdm/policy-csp-wirelessdisplay.md
View File

@ -26,6 +26,9 @@ manager: dansimp
<dd>
<a href="#wirelessdisplay-allowmdnsdiscovery">WirelessDisplay/AllowMdnsDiscovery</a>
</dd>
<dd>
<a href="#wirelessdisplay-allowmovementdetectiononinfrastructure">WirelessDisplay/AllowMovementDetectionOnInfrastructure</a>
</dd>
<dd>
<a href="#wirelessdisplay-allowprojectionfrompc">WirelessDisplay/AllowProjectionFromPC</a>
</dd>
@ -129,6 +132,53 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="wirelessdisplay-allowmovementdetectiononinfrastructure"></a>**WirelessDisplay/AllowMovementDetectionOnInfrastructure**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to disable the infrastructure movement detection feature.
If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure.
If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session.
The default value is 1.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - Do not allow
- 1 (Default) - Allow
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="wirelessdisplay-allowprojectionfrompc"></a>**WirelessDisplay/AllowProjectionFromPC**

10
windows/client-management/mdm/policymanager-csp.md
View File

@ -14,14 +14,16 @@ ms.date: 06/28/2017
# PolicyManager CSP
PolicyManager CSP is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows 10 Mobile and Windows Phone 8.1
> **Note**   The PolicyManager CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md), which replaces PolicyManager CSP. You can continue to use PolicyManager CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices.
-->
## Related articles
[Policy CSP](policy-configuration-service-provider.md)
[Configuration service provider reference](configuration-service-provider-reference.md)

77
windows/client-management/mdm/registry-csp.md
View File

@ -1,77 +0,0 @@
---
title: Registry CSP
description: In this article, learn how to use the Registry configuration service provider (CSP) to update registry settings.
ms.assetid: 2307e3fd-7b61-4f00-94e1-a639571f2c9d
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# Registry CSP
The Registry configuration service provider is used to update registry settings. However, if there is configuration service provider that is specific to the settings that need to be updated, use the specific configuration service provider.
> [!NOTE]
> The Registry CSP is only supported in Windows 10 Mobile for OEM configuration. Do not use this CSP for enterprise remote management.
For Windows 10 Mobile only, this configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
 
For the Registry CSP, you cannot use the Replace command unless the node already exists.
The Registry configuration service provider can be managed over both the OMA Client Provisioning and the OMA DM protocol. When using OMA DM to add a registry key, a child registry value must also be added in the XML code.
For OMA Client Provisioning, the follows notes apply:
- Querying the registry at the top level is not allowed. All parameters must be queried individually. The underlying data store of the Registry is typed. Be sure to use the **datatype** attribute of the *&lt;parm&gt;* tag.
- This documentation describes the default characteristics. Additional characteristics may be added.
- Because the **Registry** configuration service provider uses the backslash (\\) character as a separator between key names, backslashes, which occur in the name of a registry key must be escaped. Backslashes can be escaped by using two sequential backslashes (\\\\).
The default security role maps to each subnode unless specific permission is granted to the subnode. The security role for subnodes is implementation specific, and can be changed by OEMs and mobile operators.
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
|Elements|Available|
|--- |--- |
|Parm-query|Yes|
|Noparm|Yes|
|Uncharacteristic|Yes|
|Characteristic-query|Yes<br/><br/>Recursive query: Yes<br/><br/>Top-level query: No|
 
Use these elements to build standard OMA Client Provisioning configuration XML. For information about specific elements, see MSPROV DTD elements.
## Supported Data Types
The following table shows the data types this configuration service provider supports.
|XML Data Type|Native Registry Type|XML Format|
|--- |--- |--- |
|Integer|REG_DWORD|Integer. A query of this parameter returns an integer type.|
|Boolean|REG_DWORD|Integer value of 1 or 0. A query of this parameter returns an integer type.|
|Float|REG_SZ|Float. A query of this parameter returns a string type.|
|String|REG_SZ|String. A query of this parameter returns a string type.|
|multiple string|REG_MULTI_SZ|Multiple strings are separated by **&#xF000** and ended with two **&#xF000** - A query of this parameter returns a multi-string type.|
|Binary|REG_BINARY|Base64 encoded. A query of this parameter returns a binary type.|
|Time|FILETIME in REG_BINARY|The time format conforms to the ISO8601 standard, with the date portion optional. If the date portion is omitted, also omit the "T" delimiter. A query of this parameter returns a binary type.|
|Date|FILETIME in REG_BINARY|The date format conforms to the ISO8601 standard, with the time portion optional. If the time portion is omitted, also omit the "T" delimiter. A query of this parameter returns a binary type.|
 
It is not possible to access registry keys nested under the current path by using the Registry configuration service provider. Instead, the values of the subkey must be accessed separately by using a new characteristic.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

130
windows/client-management/mdm/registry-ddf-file.md
View File

@ -1,130 +0,0 @@
---
title: Registry DDF file
description: Learn about the OMA DM device description framework (DDF) for the Registry configuration service provider (CSP).
ms.assetid: 29b5cc07-f349-4567-8a77-387d816a9d15
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# Registry DDF file
This topic shows the OMA DM device description framework (DDF) for the **Registry** configuration service provider. DDF files are used only with OMA DM provisioning XML.
```xml
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>Registry</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<Description>The root node of registry</Description>
</DFProperties>
<Node>
<NodeName>HKCR</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<Description>HK_CLASSES_ROOT portion of device registry.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>HKCU</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<Description>HK_CURRENT_USER portion of device registry.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>HKLM</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<Description>HK_LOCAL_MACHINE portion of device registry.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>HKU</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<Description>HK_USERS portion of device registry.</Description>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[Registry configuration service provider](registry-csp.md)
 
 

108
windows/client-management/mdm/remotelock-csp.md
View File

@ -1,108 +0,0 @@
---
title: RemoteLock CSP
description: Learn how RemoteLock CSP supports the ability to lock a device that has a PIN set on the device or reset the PIN on a device that may or may not have a PIN set.
ms.assetid: c7889331-5aa3-4efe-9a7e-20d3f433659b
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# RemoteLock CSP
The RemoteLock CSP supports the ability to lock a device that has a PIN set on the device or reset the PIN on a device that may or may not have a PIN set.
> [!Note]
> The RemoteLock CSP is only supported in Windows 10 Mobile.
<a href="" id="--vendor-msft-remotelock"></a>**./Vendor/MSFT/RemoteLock**
<p>Defines the root node for the RemoteLock configuration service provider.</p>
<a href="" id="lock"></a>**Lock**
Required. The setting accepts requests to lock the device screen. The device screen will lock immediately if a PIN has been set. If no PIN is set, the lock request is ignored and the OMA DM (405) Forbidden error is returned over the management channel. All OMA DM errors are listed [here](https://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification. The supported operations are Get and Exec.
|Status|Description|Meaning [Standard]|
|--- |--- |--- |
|(200) OK|The device was successfully locked.|The command and the associated Alert action are completed successfully.|
|(405)|The device could not be locked because there is no PIN currently set on the device.|The requested command is not allowed on the target.|
|(500) Command failed|The device was not locked for some unknown reason.|Non-specific errors were created by the recipient while attempting to complete the command.|
<a href="" id="lockandresetpin"></a>**LockAndResetPIN**
This setting can be used to lock and reset the PIN on the device. It is used in conjunction with the NewPINValue node. After the **Exec** operation is called successfully on this node, the previous PIN will no longer work and cannot be recovered. The supported operation is Exec.
This node will return the following status. All OMA DM errors are listed [here](https://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification.
|Status|Description|Meaning|
|--- |--- |--- |
|(200) OK|The device has been locked with a new password which has been reset.|The command and the associated Alert action are completed successfully.|
|(500) Command failed|N/A|Non-specific errors were created by the recipient while attempting to complete the command.|
<a href="" id="lockandrecoverpin"></a>**LockAndRecoverPIN**
Added in Windows 10, version 1703. This setting performs a similar function to the LockAndResetPIN node. With LockAndResetPIN any Windows Hello keys associated with the PIN gets deleted, but with LockAndRecoverPIN those keys are saved. After the Exec operation is called successfully on this setting, the new PIN can be retrieved from the NewPINValue setting. The previous PIN will no longer work.
Executing this node requires a ticket from the Microsoft credential reset service. Additionally, the execution of this setting is only supported when the [EnablePinRecovery](./passportforwork-csp.md#tenantid-policies-enablepinrecovery) policy is set on the client.
<a href="" id="newpinvalue"></a>**NewPINValue**
This setting contains the PIN after Exec has been called on /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin. If LockAndResetPIN or LockAndResetPIN has never been called, the value will be null. If Get is called on this node after a successful Exec call on /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin, then the new PIN will be provided. If another Get command is called on this node, the value will be null. If you need to reset the PIN again, then another LockAndResetPIN Exec can be communicated to the device to generate a new PIN. The PIN value will conform to the minimum PIN complexity requirements of the merged policies that are set on the device. If no PIN policy has been set on the device, the generated PIN will conform to the default policy of the device.
The data type returned is a string.
The supported operation is Get.
A Get operation on this node must follow an Exec operation on the /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin node in the proper order and in the same SyncML message. The Sequence tag can be used to guarantee the order in which commands are processed.
## Examples
Initiate a remote lock of the device.
```xml
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/RemoteLock/Lock </LocURI>
</Target>
</Item>
</Exec>
```
Initiate a remote lock and PIN reset of the device. To successfully retrieve the new device-generated PIN, the commands must be executed together and in the proper sequence as shown below.
```xml
<Sequence>
<CmdID>1</CmdID>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/RemoteLock/LockAndResetPIN </LocURI>
</Target>
</Item>
</Exec>
<Get>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/RemoteLock/NewPINValue </LocURI>
</Target>
</Item>
</Get>
</Sequence>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

153
windows/client-management/mdm/remotelock-ddf-file.md
View File

@ -1,153 +0,0 @@
---
title: RemoteLock DDF file
description: Learn about the OMA DM device description framework (DDF) for the RemoteLock configuration service provider (CSP).
ms.assetid: A301AE26-1BF1-4328-99AB-1ABBA4960797
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/05/2017
---
# RemoteLock DDF file
This topic shows the OMA DM device description framework (DDF) for the **RemoteLock** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC "-//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[
<?oma-dm-ddf-ver supported-versions="1.2"?>
]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>RemoteLock</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Lock</NodeName>
<DFProperties>
<AccessType>
<Get />
<Exec />
</AccessType>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LockAndResetPIN</NodeName>
<DFProperties>
<AccessType>
<Get />
<Exec />
</AccessType>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LockAndRecoverPIN</NodeName>
<DFProperties>
<AccessType>
<Get />
<Exec />
</AccessType>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>NewPINValue</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[RemoteLock configuration service provider](remotelock-csp.md)
 
 

24
windows/client-management/mdm/reporting-csp.md
View File

@ -15,10 +15,11 @@ ms.date: 06/26/2017
# Reporting CSP
The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. This CSP was added in Windows 10, version 1511.
The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. This CSP was added in Windows 10, version 1511.
The following DDF format shows the Reporting configuration service provider in tree format.
```
```console
./Vendor/MSFT
Reporting
----EnterpriseDataProtection
@ -33,14 +34,18 @@ Reporting
------------StartTime
------------Type
```
<a href="" id="reporting"></a>**Reporting**
Root node.
<a href="" id="reporting-enterprisedataprotection"></a>**Reporting/EnterpriseDataProtection**
Interior node for retrieving the Windows Information Protection (formerly known as Enterprise Data Protection) logs.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows 10 Mobile.
<a href="" id="reporting-securityauditing--for-mobile-only-"></a>**Reporting/SecurityAuditing** (for mobile only)
Interior node for retrieving the security auditing logs. This node is only for mobile devices.
-->
<a href="" id="retrievebytimerange"></a>**RetrieveByTimeRange**
Returns the logs that exist within the StartTime and StopTime. The StartTime and StopTime are expressed in ISO 8601 format. If the StartTime and StopTime are not specified, then the values are interpreted as either first existing or last existing time.
@ -89,7 +94,7 @@ Value type is int.
Supported operations are Get and Replace.
## Examples
## Example
Retrieve all available Windows Information Protection (formerly known as Enterprise Data Protection) logs starting from the specified StartTime.
@ -114,6 +119,8 @@ Retrieve all available Windows Information Protection (formerly known as Enterpr
</SyncML>
```
<!-- 12.16.2021 mandia: Commenting out, as this CSP example is specific to Windows 10 Mobile.
Retrieve a specified number of security auditing logs starting from the specified StartTime.
```xml
@ -163,13 +170,4 @@ Retrieve a specified number of security auditing logs starting from the specifie
</SyncBody>
</SyncML>
```
 
 
-->

Some files were not shown because too many files have changed in this diff Show More